Security....

[Rodolfo J. Paiz]

On Wed, 2004-10-27 at 13:56 -0400, James Kosin wrote:
> You don't give iptables a chance.  It is a very powerful feature.  With 
> proper setup you can allow unfeathered access to your server on your 
> network alone and deny access (or restrict) everyone else.
> 

My dear James, the problem is that you are misunderstanding me... or
that I am not explaining myself, but if I write longer posts people
bitch that I overload their quotas. <grin>

I do use iptables... see Shorewall (http://www.shorewall.net). I do take
advantage of every piece of it I can, and Shorewall makes it easy for
me. What I was describing is an *additional* measure of protection...
since iptables cannot protect you from attacks on open ports (like 22 or
80, if you offer those services), then leave an "open" but redirected
port as bait so that you can catch (and banish) anyone who touches them.

I am in no way saying that the basic iptables firewall is bad; far from
it! What I am saying is that such a simple setup is good but one can do
*more* to protect the system if the time, effort, and cycles are
available to do some extra work.

Read over my long post again, carefully. I think you'll like the
additional level of protection that this offers you: the point being
that, if the guy is going to probe your 22 and 80, he's also likely to
try your 1080 and 8080... so when he touches those you zap him, and
hopefully make him lose interest when he has to wait two days to send
*any* packets to your machine.

Cheers,

-- 
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041027/a659a693/attachment-0001.sig>