On Tue, May 28, 2002 at 10:38:45PM +0200, Maciej Soltysiak wrote: > > On Tue, May 28, 2002 at 10:21:40PM +0200, Maciej Soltysiak wrote: > > > > > in my opinion, the only 100% sure place to put DROP is on a router, that > > > is only a router and does not have any ports open. > > > > Why is that? > it makes the router invisible, if you server ports you have to reveal > something, nmap will say filtered then if it succesfully does its ping > probes.
OK, so drop the ping probes as well ;-) Nope, you didn't convince me. If a router has no services on it then DROP/REJECT or even ACCEPT doesn't make any difference. There is nothing to protect... If your firewall is running services then: -) If you drop, then nmap says "filtered". Big deal. -) If you reject, then nmap says "closed". Again, big deal. I guess what I'm saying is if nmap says "Aah, I got a filtered port here" as opposed to "Ooh, I got a closed port here" there is not much difference except that the latter would cost you some bandwidth...and besides, as I've always said, let them time out...and of course, your reject is an excellent source of fingerprint... Ramin >
