[Shorewall-users] Question on REJECT

Tom Eastep teastep@shorewall.net
Thu, 11 Apr 2002 18:55:36 -0700 (Pacific Daylight Time)


On Thu, 11 Apr 2002, Brian Fallik wrote:

>
> To all,
>
> Sorry for this question if it's already answered in the list archives but
> they seem to be down right now.
>

How are you trying to access them? -- the archives are on the same system
as the mailing list smtp server and appear to be up on this end.

> Is it possible to configure shorewall to reject packets so that portscans
> will not work?
>
> Something like:
> http://groups.google.com/groups?hl=en&safe=off&selm=fa.hbgphmv.sma38m%40ifi.
> uio.no
>
> Even though packets are dropped, I'd like to disable any potential views
> into my firewall/gateway since it is running services for my internal LAN.
>

The poster in the above email is full of something that doesn't smell very
good. Rejecting with RST in fact tells the scanner that there IS a system
there; dropping the SYN packets on the floor (Shorewall's default
behavior) does NOT reveal the presence of your system.

If you prefer to take the word of the other fellow however, simply set the
net->all policy to REJECT in /etc/shorewall/policy and Shorewall will
merrily respond to SYN with RST.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net