Re: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?

[ericb@digitaljunkyard.net]

 "ds" == Donald Smith <Smith> writes:

ds> In my opinion, a firewall shouldnt decrement the ttl, be directly
ds> addressable from the internet or send icmp messages. Those all
ds> provide means to map the firewall and systems it is protecting.

What if it's NATing?  Or routing?

There are all sorts of problems using firewalls as L2 devices.
OpenBSD does it well, but you still have ARP issues, you're turning a
flat ethernet into something that still looks flat, but is not.

Heck, what if your interfaces are not all the same media type?

These are all configuration decisions that should be left up to the
people at the site.  It's really nice to get an admin prohib back and
know where your packets are being denied.  It helps you as well as
your attackers.

My home firewall is an almost completely black hole.  My work
firewalls are a lot friendlier to their users and to the Internet at
large.  They both satisfy their site's security policy.

ericb