On Dec 6, 2009, at 12:03 AM, Todd Eddy wrote: >> All traffic to any service not offered publicly somewhere on my network is >> dropped without further comment at the border router. > > Dropping packets that come in on unknown ports (called Stealthing) is > actually against the official RFC. But it's done for security.
I wondered about that when I first started learning how to use packet filters and ACLs and stuff. But iptables (ipchains back then) and my Cisco toys all do it, so I figured I must be misunderstanding something. Nor do I see much of a point to it (beyond possibly confusing nmap's OS detection). If the connect was just a mistake, it'd be much more polite to let the other end know right away that there's nothing on the port. And if it's a port scan, they most likely aren't going to be confused at all by responses on some ports and pretending not to be home on others. The iptables filters can be told to reply with ICMP, but AFAIK there's no way to get the router or the PIX to do anything but ignore the packet. Do you know the reasoning behind this? (Ask, I know this thread is way OT, but I'm learning a lot. Feel free to request thread death at any time...) -- Glenn English [email protected] _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
