[998] in linux-net channel archive
Re: Rejecting tcp connections before accept()
daemon@ATHENA.MIT.EDU (Avery Pennarun)
Sat Aug 26 11:48:09 1995
Date: Thu, 24 Aug 1995 19:46:49 -0400 (EDT)
From: Avery Pennarun <apenwarr@foxnet.net>
To: Nick Simicich <njs@scifi.maid.com>
cc: "Stephen R. van den Berg" <srb@cuci.nl>, linux-net@vger.rutgers.edu
In-Reply-To: <Pine.3.89.9508230852.C11588-0100000@scifi.maid.com>
On Wed, 23 Aug 1995, Nick Simicich wrote:
> The point here is that we want to allow people who we want to accept
> connections from to to see that we are listening on a port, while not
> giving any indication to people we don't want to connect to that we are
> listening at all.
Everyone seems to be ignoring the IP Firewalling code here, even though it
allows exactly what is being described (only easier, from a setup point of
view - ie no source code hacking) and is standard in both 1.2.x and 1.3.x
kernels. Maybe the name "firewalling" is too strong and no one thinks it
applies, but really, it's very handy!
You can have Linux automatically reject (or completely ignore) connection
requests from a certain site/port combination to any set of ports on the
Linux machine, as well as allowing/denying pings on a site-by-site basis.
If the Linux machine is acting as a router, it can also be set to refuse to
forward these packets to other sites (or not :)).
And IP firewalling is applied to ALL tcp/ip services, regardless of whether
they are run from inetd. As far as I can tell, this is exactly what
everyone is asking for.
Naturally, TCP wrappers are still useful to avoid various other attacks
(which, of course, I'm not qualified to describe but which various people
should have no trouble listing :)). However, the proposed rewrites of inetd
and friends are probably unnecessary.
Am I missing something big?
Avery
