Gleeson, Francis (HT-EX) on Wed, 27 Feb 2002 13:08:36 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] fire wall question(s)


Title: RE: [PLUG] fire wall question(s)

The thread seems to be making an artificial distinction
between "closing" a port (actively blocked by firewall),
and "ignoring" a packet (having no server daemon listening).

The distinction is being made in the context of a denial of
service attack. Short of hardware filtering on your NIC card
every packet that comes in will consume cpu bandwidth on the
target system. The amount of bandwidth should be proportional
to how far up the protocol stack the packet gets before being
destroyed.

So I guess the main point would be that a firewall is tightly
integrated with the kernel and can therefore kill the packet
much sooner than would happen otherwise. By the time a server
daemon get the packet it has been al the way through the protocol
stack.

> -----Original Message-----
> From: Michael Leone [mailto:turgon@mike-leone.com]
> Sent: Tuesday, February 26, 2002 10:07 PM
> To: PLUG
> Subject: Re: [PLUG] fire wall question(s)
>
>
> On Tue, 2002-02-26 at 20:38, Jon Galt wrote:
> > On Tue, 26 Feb 2002, Mike Leone wrote:
> >
> > > I can open ports on my firewall, but not have daemons
> listening on those
> > ports, nor forwarded to any other machine.
> >
> > And what level of hardware or software rejects traffic when
> a port is
> > closed?
>
> I don't understand - what level? What "level" are you referring to?
>
> > > Well, consider: whether or not a port is open, or listened to, or
> > whatever ... if I decide to send 400 million packets at
> you, on port 53,
> > say ... unless you have some upstream way of blocking those
> packets, your
> > line going to be flooded with incoming packets. Nothing
> else will be able
> > to get in (effectively speaking), nor can you get out, because your
> > bandwidth is being chewed up by all those incoming packets.
> Even if you're
> > not processing them, they're still coming in..
> >
> > Ok, that makes sense.  And it seems to apply whether the
> port is opened or
> > closed, listened to or not...?
>
> Correct.
>
> --
>
> Michael J. Leone                  Registered Linux user #201348
> <mailto:turgon@mike-leone.com>    ICQ: 50453890     AIM: MikeLeone
>
> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
> PGP public key:
> <http://www.mike-leone.com/~turgon/turgon-public-key.gpg>
>