dufresne at sysinfo.com
Mon Feb 7 19:30:20 CET 2005
On 7 Feb 2005, Jose Maria Lopez wrote:
> El dom, 06 de 02 de 2005 a las 22:03, Jason Opperisano escribiÃ³:
> > Ron has an excellent point here about IDENT. a "good Internet citizen"
> > thing to do when running a mail server is to reject ident instead of
> > dropping it:
> > iptables -A INPUT -p tcp --syn --dport 113 \
> > -j REJECT --reject-with tcp-reset
> Isn't it advisable for every tcp port you want to block?
> I have some documentation that says that doing otherwise
> it's even bad for your network communications.
I've never heard it is bad, but, te question is how nice one wishes to be
to those trying to transgess your security profile. I tend to use alot of
drops, especially for ports like ftp, telnet, some of the printer and
shell exec ports, any ports trojans are fond of. The drop make the other
end continue trying till the command/connect attepmt is either aborted or
timesout, and with autoomated attacks, that can slow down the how little
nasty prog. Kinder to me and my other servers, as well as others on the
net when I can slow these things down some. Reject with rst, those are
for the ports that you wish to treat the otherend nicely from.
admin & senior security consultant: sysinfo.com
...Love is the ultimate outlaw. It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice. Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question. The words
"make" and "stay" become inappropriate. My love for you has no
strings attached. I love you for free...
-Tom Robins <Still Life With Woodpecker>
More information about the netfilter