>> Yes, having a default DENY on the output chain is a bit more work, but >> it also allows you to do a daily audit of possible problems. It all >> depends on your determined security stance. > >A possible compromise would be to have a default ACCEPT rule, but make >ipcahains (or iptables) log all unusual ports. something like > >ipchains -P output ACCEPT >ipchains -A output -p tcp -d 0.0.0.0/0 80:80 -j RETURN >ipchains -A output -p tcp -d 0.0.0.0/0 21:21 -j RETURN >... >ipchains -A output -d 0.0.0.0/0 -l > >this way you will still allow all ports out, but it will log anything >that you specifically have not specified. If you run logcheck or >something of the like(recommended) then you will know when something >strange is happening almost immediately.
would a such logging result in higher load on the machine? ive have noticed exessive load on one of our routers (zebra/bgp), it has an load-average of 10 (or more) under DoS-attacks. (or has zebra just a poor logging system?) anders gj�re system enginerer kvalito it
