Re: [Shorewall-users] Shields-Up Scan of Shorewall Firewall

Tue, 18 Dec 2007 23:48:34 -0800 

On Tue, Dec 18, 2007 at 08:10:47PM -0800, Linux Advocate wrote:
> Andrew, thanx for the headsup. Specifically what is
> wrong with that site? In what way is their scan
> inaccurate? I would like to warn some of my other
> buddies...

Enumerating all of the ways in which it is alarmist marketing noise
would take forever, but here's a few examples:


> Solicited TCP Packets: RECEIVED (FAILED) %G—%@ As detailed in
> the port report below, one or more of your system's ports actively
> responded to our deliberate attempts to establish a connection. It
> is generally possible to increase your system's security by hiding
> it from the probes of potentially hostile hackers.

Sheer nonsense. The system is rejecting those connections, it is not
magically somehow "more secure" if it doesn't send a RST packet.

> Ping Reply: RECEIVED (FAILED) %G—%@ Your system REPLIED to our
> Ping (ICMP Echo) requests, making it visible on the Internet. Most
> personal firewalls can be configured to block, drop, and ignore such
> ping requests in order to better hide systems from hackers. This is
> highly recommended since "Ping" is among the oldest and most common
> methods used to locate systems prior to further exploitation.

There are no recorded instances of people using ping to find systems
to exploit. What would be the point? Ping is useful only to people who
are trying to diagnose network faults, and disabling it causes nothing
but harm to their efforts.

> Secure Shell provides a secure-connection version of the Telnet
> remote console service with additional features. Unfortunately, the
> SSH services and their security add-on packages have a long history
> of many widely exploited buffer overflow vulnerabilities.

A long history of a whole two exploits in the past decade or so.


What you have to realise is that grc.com is trying to sell you stuff
(used to be zonealarm, I haven't bothered to check what it is these
days). It's all about trying to convince you that a problem exists, so
that you'll pay for one of their 'solutions'.

Even if you do manage to 'pass' their tests, that doesn't really mean
anything because all they test are the low-valued TCP ports. There's
plenty of stuff in common use that doesn't work that way, like
bittorrent or DNS. If you want to test your firewall properly, you're
going to have to use something else anyway.

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to