Am Do, den 09.09.2004 schrieb Wal um 23:04: > I am suggesting a more secure default setting- > -I SecLev505-INPUT -p all -j DROP > Alternately (with possible issue when rules actually get applied)- > -A SecLev505-INPUT -p all -j DROP I would heavily dislike a default DROP rule setup with iptables. There is a long discussion about DROP versus REJECT in the firewall forums, and I follow the arguments for REJECTing. One reason which affects users of Fedora: a DROP policy / default rule makes it much harder for anyone and especially less experienced users to down track problems cause by firewalling with no real gain on the other side. It is and stays a myth that DROPing pakets makes a system invisible for attackers (buzzword "stealth mode" in PFW products). For the majority of users a feedback in form of an ICMP port unreachable is most useful. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 23:22:47 up 10 days, 20:39, load average: 0.38, 0.42, 0.37
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil