[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is iptables enough?

>>>>> "Vineet" == Vineet Kumar <debian-security@virtual.doorstop.net> writes:

    Vineet> * Adrian 'Dagurashibanipal' von Bidder
    Vineet> <avbidder@fortytwo.ch> [20030320 06:39 PST]:
    >> Set it up to block everything and then selectively open ports
    >> until everything works as desired. Depending on the
    >> applications it may be a good idea to REJECT auth (identd)
    >> packets instead of dropping them - some applications have long
    >> timeouts.

    Vineet> IMO, it's a good idea to REJECT instead of DROPping most
    Vineet> packets.  If you think DROPping makes you invisible,
    Vineet> you're deluding yourself.  I generally end my INPUT chain

Um, would you be so kind as to explain the "deluding yourself" part or
point to some information that does so ? From what I have read on the
net using google a good number of people use drop to help with port
scanning (ie. port scanning will take a lot longer with drop then
reject), and also help with DoS, whereas reject is deemed more polite.

Sincerely,

Adrian Phillips

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]
Reply to: