Miark wrote: > On Thu, 22 Nov 2007 00:47:08 -0800, John wrote: > >> Miark wrote: >>> I have the firewall turned on my CentOS 5 box, but GRC is >>> reporting that 631 is closed instead of stealthed. If the >>> firewall isn't configured to allow that, then why might that >>> be happening? >>> >> >> that GRC port scanner is not something I'd rely on. use a >> shell account somewhere, and nmap to portscan yourself. > > I did that, too. 631 is actively rejecting instead of dropping. > >> anyways, WTF 'stealth' ? ports are SUPPOSED to return >> "NAK" ... IMHO, 'stealth' is complete and total BS, dropping >> request packets does nothing useful. > > You don't think it helps to push scanning goons on to some other > server? If I attack your machine, whether a port discards packets or send me an RST is more or less irrelavant: this is a port I won't use, I'll go try the next one. A honeypot is more efficient (against the attack). you can also use "recent" to block list scanners. > Or to prevent any sort of attack? well, it's a kind of security by obscurity, so there are tradeoffs. you possibly make it hard for miscreants (for script kiddies really, not for "professionnal miscreants"), but you certainly make it hard for honest people. connection troubleshooting becomes hard or even impossible. While I am in, some people block all icmp traffic. I personally consider such hosts as diconnected and their IPs as hijacked (subject to block listing). > It seems logical to me > that dropping is less work for the box than doing anything > else. (?) If you return an RST, the client stops. if you drop, the client will retransmit. so you get more traffic (you send less, but you receive more). The difference is however ridiculous.