--On Tuesday, July 30, 2002 08:38:03 PM +0200 Florian Zschocke
<[EMAIL PROTECTED]> wrote:
> James Bourke wrote:
>>
>> 1. DO NOT RUN: ftp, irc, bind, pop, or any other unnecessary service
>> on a gaming machine. Run sshd on the gaming server and put the other
>> processes on another machine.
> [...]
>> 3. Use ipchains or iptables to block everything you do not
>> absolutely need.
>
> I'll never understand why people do this. If you don't need a
> service and don't have a daemon running for it, then why do you
> need a packetfilter? Somebody once said "packetfilters are for
> lazy admins" and he is right in the vast majority of cases. :)
The reason for that is, that you might "accidently" startup a service you
don't want/need and would be unproteced in that case. And you should block
outgoing connections which aren't necessary too. This should minimize the
risk to be abused e.g. for a DDOS (but cannot prevent it totaly as you need
some outgoing connections).
I use (where possible) multiple firewalls, on dedicated firewall connected
to the internet, and local firewalls at the various servers. That way when
one server behind the firewall got hacked the others aren't easyly attacked
(because each server has it's own additional local firewall).
[FAW]Terran
--
visit http://www.excalibur-cs.de/
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
