Shorewall users - Apr 2002 - Question on REJECT

To all,

Sorry for this question if it''s already answered in the list archives
but
they seem to be down right now.

Is it possible to configure shorewall to reject packets so that portscans
will not work?

Something like:
http://groups.google.com/groups?hl=en&safe=off&selm=fa.hbgphmv.sma38m%40ifi.
uio.no

Even though packets are dropped, I''d like to disable any potential
views
into my firewall/gateway since it is running services for my internal LAN.

Please CC me in the reply since I''m not on this distribution list.

Thanks,
brian

On Thu, 11 Apr 2002, Brian Fallik wrote:
>
> To all,
>
> Sorry for this question if it''s already answered in the list
archives but
> they seem to be down right now.
>
How are you trying to access them? -- the archives are on the same system
as the mailing list smtp server and appear to be up on this end.
> Is it possible to configure shorewall to reject packets so that portscans
> will not work?
>
> Something like:
>
http://groups.google.com/groups?hl=en&safe=off&selm=fa.hbgphmv.sma38m%40ifi.
> uio.no
>
> Even though packets are dropped, I''d like to disable any potential
views
> into my firewall/gateway since it is running services for my internal LAN.
>
The poster in the above email is full of something that doesn''t smell
very
good. Rejecting with RST in fact tells the scanner that there IS a system
there; dropping the SYN packets on the floor (Shorewall''s default
behavior) does NOT reveal the presence of your system.

If you prefer to take the word of the other fellow however, simply set the
net->all policy to REJECT in /etc/shorewall/policy and Shorewall will
merrily respond to SYN with RST.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net