Once you tell an attacker what protocol and port you don't want to
talk on they know where to focus their attacks. It might be
considered good net-iquette but it's bad security to let the other
guy know anything beyond what you have to. Yes you might have
legitimate traffic hanging but if the traffic is legitimate why would
you need to drop or reset?
Just my 3.33 cents worth.
Daniel
>If I und4rstand the ack-syn-rst.... build and tear-down of a connection
>correctly, just dropping the packets leaves the other end waiting,
>wondering why yer not acknowledging their request. This leaves them with
>a half open connection in their connection tables. Sending and rst tells
>them yer just not interested in talking to them on that port/protocal and
>they close down their end of it. It's considered good net-etiquette to
>rst the otherside when possible...
>
>Thanks,
>
>Ron DuFresne
>
>
>On Mon, 13 Mar 2000, Yi Liu wrote:
>
>> Any disadvantages for using service reset inbound vs. standard behavior of
>> silently dropping connections?
>>
>> YL
>>
>> > -----Original Message-----
>> > From: Lisa Napier [mailto:[EMAIL PROTECTED]]
>> > Sent: Monday, March 13, 2000 11:36 AM
>> > To: Ron DuFresne; [EMAIL PROTECTED]
>> > Cc: Pere Camps; [EMAIL PROTECTED]
>> > Subject: Re: Port 113
>> >
>> >
>> > Groan... Apologies to all. I can only say it was a
>> > pre-coffee url copy.
>> >
>> > Here's the real one:
>> >
>> > http://www.cisco.com/warp/public/110/2.html
>> >
>> > Many thanks for pointing out my error.
>> >
>> > Lisa Napier
>> > Product Security Incident Response Team
>> > Cisco Systems
>> > http://www.cisco.com/warp/public/707/sec_incident_response.shtml
>> >
>> > PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
>> > ID: 0xB72CAF1F, DH/DSS 2048/1024
>> >
>> > At 01:27 PM 03/13/2000 -0600, Ron DuFresne wrote:
>> >
>> > >Lisa,
>> > >
>> > >Yer URL, here, returns a "cannot connect to remote host" message.
>> > >
>> > >Thanks,
>> > >
>> > >Ron DuFresne
>> > >
>> > >
>> > >On Mon, 13 Mar 2000, Lisa Napier wrote:
>> > >
>> > > > Hi all,
>> > > >
>> > > > http://cco/warp/customer/110/2.html
>> > > >
>> > > > This URL has the answers to the question.
>> > > >
>> > > > Thanks much,
>> > > >
>> > > > Lisa Napier
>> > > > Product Security Incident Response Team
>> > > > Cisco Systems
>> > > > http://www.cisco.com/warp/public/707/sec_incident_response.shtml
>> > > >
>> > > > PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
>> > > > ID: 0xB72CAF1F, DH/DSS 2048/1024
>> > > >
>> > > > At 12:27 PM 03/11/2000 +0100, Pere Camps wrote:
>> > > > >Hello,
>> > > > >
>> > > > > > request and tries again before giving up. There was
>> > also mention
>> > > of a way
>> > > > > > to have the f/w do something other than silently drop
>> > the packet to
>> > > allow
>> > > > > > the server to give up more quickly.
>> > > > >
>> > > > > Don't know how to set it up in pix, but what
>> > you have to do is to
>> > > > >REJECT the packets instead of DENYING them. DENY simply
>> > drops them and
>> > > > >REJECT drops them AND sends the client an ICMP
>> > destination-unreachable
>> > > > >packet.
>> > > > >
>> > > > > HTH.
>> > > > >
>> > > > >-- p.
>> > > > >
>> > > > >-
>> > > > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
>> > > > >"unsubscribe firewalls" in the body of the message.]
>> > > >
>> > > > -
>> > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> > > > "unsubscribe firewalls" in the body of the message.]
>> > > >
>> > >
>> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > >"Cutting the space budget really restores my faith in humanity. It
>> > >eliminates dreams, goals, and ideals and lets us get straight to the
>> > >business of hate, debauchery, and self-annihilation." -- Johnny Hart
>> > > ***testing, only testing, and damn good at it too!***
>> > >
>> > >OK, so you're a Ph.D. Just don't touch anything.
>> >
>> > -
>> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> > "unsubscribe firewalls" in the body of the message.]
>> >
>>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>"Cutting the space budget really restores my faith in humanity. It
>eliminates dreams, goals, and ideals and lets us get straight to the
>business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
>OK, so you're a Ph.D. Just don't touch anything.
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
