Re: my debian does not read my own iptables script
On Sat, Jan 31, 2009 at 02:41:47AM +0100, Ansgar Wiechers wrote:
> I also strongly recommend running a custom
> (stripped-down) kernel.
Can you please explain why? As the distribution kernels are heavy
modularized you won't get much less kernel code, which is one attack
vector. The second one is also unchanged, priviledged userspace access
and kernel code injection via /dev/mem or are a changed kernel binary.
On the other side you loose any security support for this.
> Second problem. Don't set policies to ACCEPT without a good reason.
This applies to the filter chains only. Don't set it on the nat or
First study the enemy. Seek weakness.
-- Romulan Commander, "Balance of Terror", stardate 1709.2