On Fri, 2009-04-24 at 18:40 +0000, Marco wrote: > On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder <dan...@admin-box.com> wrote: > > On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: > [...] > > While all that is correct, I would also consider it "bad network > > behavior" (no offense intended). > > So you consider my 'reject-with' settings to be good practice? Yes :)
> > It feels like "security through obscurity". It may hamper the > > well-working of a TCP/IP network, as that relies heavily on ICMP. > > I was not really sure how to configure ICMP (ping) correctly. Any > input appreciated! That is really difficult, because ICMP is a family of lots of protocols, from which ping is just one. Others are important too, like telling routers/hosts about network congestion, and so on... I don't feel competent enough to give directions. I do always allow ping, as this is needed in a server environment to check for uptime, but your case may be different. > > Also: if you wish to scan (nmap) yourself to check your system > > (configuration), you'll wish for REJECT instead of DROP :) > > You mean as the default policy? Yes, and also everywhere you use DROP. It's just, that you'll have to wait less for timeouts, when connecting to a closed port. If you decide to go with DROP, then you could make it globally switchable in your script, to change between testing and production environment/situation. Bye, Daniel
signature.asc
Description: This is a digitally signed message part