adaptive stealth in ipfw?

Louis LeBlanc freebsd at keyslapper.org
Sun Nov 30 13:00:24 PST 2003 

On 11/30/03 04:49 PM, Roman Neuhauser sat at the `puter and typed:
> > <SNIP>
> > Still, if anyone *does* know the facts, I'd like to know what the
> > case really is with the IDENT port and adaptive stealth.
> 
>     don't get carried away by the nonsense at grc.com. the
>     marketroid-speak term "adaptive stealth" can be normally
>     described as stateful filtering (and dropping the packets
>     instead of rejecting them), and it means that (in case of TCP),
>     the target machine throws away packets that:
> 
>     * don't have the SYN bit set (and the ACK bit unset)
>     * are not part of an established "conversation"

I think that clears things up a little.

>     you can completely "stealth" a machine if it runs no publically
>     available servers. the problem with ident is similar to FTP: the
>     first connection goes from you out, the other party then tries
>     to connect to you (as far as the stack is concerned, this is a
>     completely unrelated connection).
> 
>     but, the question is: what is your problem? why do you need to
>     have identd(8) running? will anything you need break without it?
>     if not, the correct solution to your problem is IMO to *reject*
>     connection attempts to your port 113.

I don't need identd.  I'm actually doing a simple reject on port 113
already, but I figured that if I could keep the system as 'invisible'
as possible, that would be best.  I AM running various services, but
only for my own personal/family use.  And I am the only one that
should be accessing all of these services from outside the firewall.

I had wondered if there was enough benefit to this process to make it
worth the overhead.

I'm beginning to think it isn't.

I've not been a security overreactor for some time, and I didn't
intend this to be a return to that mindset, so I'm just going to drop
this and leave the default reject on port 113.  The other ports I had
rejected are now simply being dropped.  Other than that, I check my
security mailings every day, and have had no problems for a very long
time.

Thanks for the feedback everyone.

Lou
-- 
Louis LeBlanc               leblanc at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

"If value corrupts then absolute value corrupts absolutely."

More information about the freebsd-questions mailing list