Following this discussion a little, I'd like to point out that being able to DROP
or REJECT packets is perfectly sufficient in almost all cases.
As for detecting exact packet types, this should be made easier, yes. But,
being able to defeat OS scans is pointless. If you're embarassed of the OS you
use or you know of open holes in it, you shouldn't be using it. If on the other
hand, its political that you not have a visible OS (like your boss not knowing
you use Linux on your router), you have problems that won't be fixed with OS
detection detection.
Lennert Buytenhek wrote:
> > Looks to me like it allows finger printing as well as stealth scans,
> > depending on the current state of affairs of TCP in Linux...
>
> I'm sure that the Linux Powers That Be will argue that protecting against
> finger printing/stealth scanning is a useless 'feature' that only gets in
> the way.. *sigh*
(snip)
> Right now, the linux ppl are arguing that the fw generating RSTs is bad,
> violates end-to-end, and will cause imminent internet death. Can you see
> anything which could remotely support these claims? (you might want to
> check a netfilter archive for the full thread, if you're interested)
--
_____/~-=##=-~\_____
-=+0+=-< Michael T. Babcock >-=+0+=-
~~~~~\_-=##=-_/~~~~~
http://www.linuxsupportline.com/~pgp/ ICQ: 4835018
Received on May 07 2000
Intro
