--bp/iNruPH9dso1Pn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,
I followed this discussion a bit and would like to mention something
about it.

On Mon, Nov 15, 2004 at 09:00:40PM +1100, Dmitri Nikulin wrote:
>I didn't say anything about making it more secure, but it gives=20
>anonymity where ports can be open or closed, and when closed they are as=
=20
>if nonexistent.

Most people unfortunately think that no answer means that there is
nothing here. That's wrong. If there is no answer on a SYN request or
UDP packet, it means there is some packetfilter dropping packets. If
that port was nonexistent as in there is no machine, then the router
before that machine would have to answer.

I see no advantage in dropping RST packets or ICMP port unreach as they
only slow down portscans. They are not stopping them. At the end this
behaviour might even disturb other users, because ident requests get
dropped instead of being rejected etc.

So if you want a blackhole, just use "block in all on $ext_if" in your
ipf.conf instead of adding new "features".

Other ideas like randomizing things are ok but not really urgent.
I am also a bit indifferent about TTY snooping, privacy vs security is
always a hard decision if you want to keep your users productive.

Maybe it would be more interesting to implement ACLs for UFS2 as those
would have a larger impact on security in my opinion.

Best regards,
Simon

--bp/iNruPH9dso1Pn
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFBmIrRv4OBQ7qKdfERAhNuAKCXLx5KccFAlIjcfgPGeZwc181sYgCfcP12
5cRBWm3lGQjxZq6gubrskrg=
=9RVl
-----END PGP SIGNATURE-----

--bp/iNruPH9dso1Pn--