On Tue, Jun 04, 2002 at 12:23:47PM -0400, Jeff Bonner wrote (1.00): > You probably want to add some route verification too: > > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $f > done Debian turns this on by default, so you don't have to do it by hand. But you can if you really want to. > Anyway, what I would do is block TCP & UDP 0-19. This tosses > "port 0", as well as tcpmux, compressnet, rje, echo, discard, > systat, daytime, netstat, qotd, msp, and chargen all at once: What I would do instead is to set your default policy to DROP (iptables -P INPUT DROP), and then ALLOW only the traffic that you actually want. It's much better than allowing everything, and only blocking the stuff you think is bad. This has the nice feature that you will only open ports that you need, and if you set iptables to log packets when you're setting things up, you can start by dropping everything, and then just start using your network, and enable the services that you see in your logs that you want. M
Attachment:
pgpjucIHTyBO4.pgp
Description: PGP signature