I'm SO mad about computers sending ICMP Unreachable messages about closed UDP ports.
DON'T JUST GIVE AWAY WHAT PORTS YOU ARE USING
StackOverflow posts like "How do I turn this off" with answers like "Stop wanting to turn it off" EAT 100% OF MY ENTIRE ASS
I just want to run a service that can't be tagged on Shodan without having CAP_NET_RAW T_T
Please
@jennamagius maybe add a firewall rule blocking outbound ICMP Unreachable?
@queerhackerwitch That's what the StackOverflow advice is, and that's pretty much the best answer. It doesn't really make it possible to run a hidden service without privileges though, 'cause you need privileges to make the firewall rule.
@queerhackerwitch The reason I want to operate without privileges is not because I can't get them; I'm developing some security-paranoid software, and rule 1 of security paranoia is "try not to have privileges. The more privileges you have, the worse it is when you get pwned."
@jennamagius In this case though it’s not the software that needs privileges, it’s the admin during setup
@queerhackerwitch That's true, but I'm disappointed to have written a program that can do 99.9% of it's work with user privs, but isn't directly usable when you only have user privs.
@queerhackerwitch The annoying thing about making a firewall rule is that interacting with the firewall is very different across different platforms. Plus, there's an information disclosure inherent in not sending the unreachable responses when you are an otherwise clearly existant system. The approach I'm going with is using raw sockets to recieve portknocks without causing the kernel to consider additional UDP ports "open", so it _keeps_ sending unreachable responses.
@queerhackerwitch Also, literally the first time I set up knockd my knock ports showed up in nmap -sU and you could find the knock sequence by brute-forcing permutations on five ports, which is fairly pathetic. I suspect that happens to pretty much everyone the first time they set up knockd.
@queerhackerwitch knockd exists, and it shells out to iptables, but shelling out to iptables is fragile and miserable and I hate it >.> We can do better.