Network Protection Yet...

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Network Protection Yet...

Postby Ego^pFe » Wed Mar 06, 2002 1:01 pm

I'm already wondering why BRad has blasted networking stealth protections in tha patch...
Btw... I've seen the Stealth iptables Match.
I've seen the iptables commands in the news section...
I've a question yet:
how to not reply to UDP with ICMP Unreachables??
Just put:
iptables -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP ?

do you think is a pretty-cool thing ?

Thank.
Ego^pFe
 
Posts: 7
Joined: Wed Mar 06, 2002 12:58 pm

re:

Postby spender » Wed Mar 06, 2002 3:07 pm

with the second rule i have on the news page:

iptables -A INPUT -p udp -m stealth -j DROP

it will drop packets coming to unserved udp ports, so the system won't have to process it and subsequently won't send anything back.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby hytron » Tue May 21, 2002 3:10 pm

Hi guys,

Can I use stealth match if my firewall is running on a separate machine? Would that match just for local needs? or it "scans" the whole local network and knows which ports are served and which are not?
Example is...I have a local network that have 192.168.2.x addresses with 4 machines running linux. Some of those linux machines have internal and external IP. So let's say I use stealth match on my router. Someone sends a packet to one of my local hosts with valid internet address a.b.c.d. on port 9988/TCP Does the router know (with stealth module) that that particular port on that host a.b.c.d is not served, and drops the connection and does not forward it or this is only implemented for localhost destination ports?
hytron
 
Posts: 7
Joined: Mon May 20, 2002 2:20 pm

Postby spender » Wed May 22, 2002 10:16 am

the easy rule is if the firewall on your machine does not affect just your machine (ie. you have NAT set up) The stealth module should be placed after any rules that would apply to other machines on your network. You want to be sure that it's operating only on packets that would arrive at your machine.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support