Re: Iptables Clues and Advices.
From: Anduine Crow (anduine@hotmail.com)
Date: 04/11/03
- Previous message: Michael Cunningham: "RE: security cert"
- Maybe in reply to: Nahual Guerrero: "Iptables Clues and Advices."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Anduine Crow" <anduine@hotmail.com> To: vic@sheetz.com Date: Fri, 11 Apr 2003 11:29:49 +0000
Vic Ricker <vic@sheetz.com> said:
>While I personally use DROP, I can see instances where it might not be
>desirable. In the case where you are trying to connect to remote services
>that use ident (ftpd, xinetd, postgres, etc.), the use of DROP on port 113
>will cause those services to wait for the timeout before allowing your
>connection. To be fair, my solution has always been to disable ident
>checks on the remote server since they are pretty much useless. :-)
>
>-Vic
I agree with that, I do use REJECT for 113, I discovered that real early on
when smtp connections would take a long time to be established. Once you
get some firewalling experience, it dosen't take long to determine which
ports should be REJECTed or DROPped.
I only posted to this thread because I didn't agree, as someone was alluding
to, that DROP was a bad practice and harmful to *legitimate* users. It all
depends on your decisions and what you are comfortable with. DROP has it's
uses as does REJECT.
This debate is starting to remind me of the "Tomato, tomato" thing...
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
- Previous message: Michael Cunningham: "RE: security cert"
- Maybe in reply to: Nahual Guerrero: "Iptables Clues and Advices."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
