Rolf Kutz wrote:
On 23/01/08 08:29 -0700, Michael Loftis wrote:It's better to leave the service disabled, or even better, completely uninstalled from a security standpoint, and from a DoS standpoint as well. The Linux kernel isn't very efficient at processing firewall rules. NewerI thought it was very efficient in doing so. YMMV.This much does exist. invoke-rc.d iptables save --- i'm not sure what package the /etc/init.d/iptables script is in, seems to me like it was part of the same package that provided the binaries.Didn't that get removed? regards, Rolf
Yes them were removed. I think at this is most right style today. http://ace-host.stuart.id.au/russell/files/debian/sarge/iptables/ Cannot find original and seems at this info is removed from ..doc/iptables.Debian haven't any open services by default, except portmapper and behind portmapper aren't any services. So no need for host firewall.
If all services are allowed from host to anywhere firewall cannot do nothing in case when host it compromised and is very difficult made default rules for that. If user install example apache we need mechanism which automatically allow connection/s from outside to service/s. What is different? Host without firewall and port 80 open or host with firewall and rule which open port 80?
Regards, Riku