>> * Chris Smith <[EMAIL PROTECTED]> [2007-04-25 00:42]: >>> Using openbsd as a firewall in several cases - a few small businesses, >>> and also for home use. Some websites, such as grc.com, stress that >>> "stealth mode" (which openbsd handles with ease) is the safest. But >>> I've also read that using 'return' instead of 'drop' is good >>> netizenship. So I'm wondered how others are handling this and what >>> recommendations you might have. >> >> "stealth" mode is totally overrated. >> > > For my clarification, are we talking about "stealth mode" as in dropping > everything (including pings) from untrusted hosts, or the default > block-policy (drop vs. return)? > > Based on this discussion, I'm trying to decide if I want to change our > firewall block-policy to 'return' even though we already allow ping and > 'return' traffic to the firewalls themselves so things like traceroute > can work.
If the security of your network rests solely on an attacker's inability to "ping" you, see reset packets, or any other such "stealth" nonsense, you are already screwed. Stealth mode will do absolutely nothing to prevent sophisticated attackers from making a mess of your network if there are other weaknesses. At best, stealth mode might lead to a few less port scans and the like by script kiddies. At worst, stealth mode will inconvenience legitimate users, lead to mistakes by the local network staff, or provide a false sense of security. -J
