grsecurity forums

[Ego^pFe]

I'm already wondering why BRad has blasted networking stealth protections in tha patch...
Btw... I've seen the Stealth iptables Match.
I've seen the iptables commands in the news section...
I've a question yet:
how to not reply to UDP with ICMP Unreachables??
Just put:
iptables -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP ?

do you think is a pretty-cool thing ?

Thank.

[spender]

with the second rule i have on the news page:

iptables -A INPUT -p udp -m stealth -j DROP

it will drop packets coming to unserved udp ports, so the system won't have to process it and subsequently won't send anything back.

[hytron]

Hi guys,

Can I use stealth match if my firewall is running on a separate machine? Would that match just for local needs? or it "scans" the whole local network and knows which ports are served and which are not?
Example is...I have a local network that have 192.168.2.x addresses with 4 machines running linux. Some of those linux machines have internal and external IP. So let's say I use stealth match on my router. Someone sends a packet to one of my local hosts with valid internet address a.b.c.d. on port 9988/TCP Does the router know (with stealth module) that that particular port on that host a.b.c.d is not served, and drops the connection and does not forward it or this is only implemented for localhost destination ports?

[spender]

the easy rule is if the firewall on your machine does not affect just your machine (ie. you have NAT set up) The stealth module should be placed after any rules that would apply to other machines on your network. You want to be sure that it's operating only on packets that would arrive at your machine.