also sprach David Bishop <[EMAIL PROTECTED]> [2002.01.10.1634 +0100]: > I'm running a server that's hot to the net, and running some insecure > services (by necessity), like nfs. Of course, I used iptables to > block all those ports, using nmap and netstat to double check all my > open ports. However, what nmap reports back is "filtered" for those > ports. I would prefer if I could somehow make it so that they are > "closed" to the outside world, so that random j. hacker doesn't know > that I'm running that service at all. Is there some way to do that, > or do I just live with "filtered"?
you can configure iptables to return ICMP type 3 "port unreachable" packets, just like the OS would, using the REJECT target. that's what you want to do. to get your desired effect. however, DENYing has the advantage of *severly* slowing any portscan, and because obscurity is not a security measure[1] and REJECT not being any safer then DENY, you are really not gaining anything... [1] because i actually believe that one should be able to post the entire LAN topology as well as server config and firewall config to the net, and *still* be secure, -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] there's someone in my head but it's not me. -- pink floyd, the dark side of the moon, 1972
pgp8AXqsx3aFI.pgp
Description: PGP signature
