On Tue, Jul 30, 2002 at 10:36:28AM -0400, Phillip Hofmeister wrote: > On Tue, 30 Jul 2002 at 09:51:19AM +0200, Giacomo Mulas wrote: > > 3) if you do need them (e.g. you need to export NFS file systems) restrict > > access to all of these relatively fragile services to trusted hosts, using > > hosts.allow, hosts.deny and/or firewalling. > > > On his point I would like to add that I encourage everyone I talk to to involk > a strong filtering system on any Linux system directly accessable from the > net. > I also encourage it on systems that are not directly accessable. Internal > hosts > can always get compromised. A strong firewall ruleset will DROP everything > and > allow only what is needed.
Since you brought the subject up... :-) Does anyone have a good way of dealing with daemons that use unpredictable port numbers? I have particular headaches with NFS, gdomap, and just recently SmokePing started doing it. I like to start off with a drop of everything and then open the absolute minimal requirements. INCLUDING LOOPBACK. So has anyone found a good way to deal with the unpredictable daemons?
