there is an extra layer of protection. in case your server on an open port is exploited to force it to run a shell listening on another tcp port, the "input deny by default" rule will prevent the cracker from connecting to that new port. so in general it is good to block even the unused tcp ports because many remote exploits use that m.o.
> On Fri, 16 Nov 2001, Gerald Timothy Quimpo wrote: > > > 2. in general, "input deny by default is more secure" than > > input accept by default. of course. but if i've got > > my firewall selectively allowing only trusted hosts to > > connect to ports where daemons are listening > > > > e.g., the only service on box B1 is HTTP and i've got > > a firewall rule that says only IPs in the range > > ABC.DEF.GHI.0-16 can connect to B1:80 > > > > what benefit is there in denying by default to ports where > > no servers are listening? (naturally, i'd let established > > connections, started from inside, through the firewall). > > > > or maybe that's the wrong question. better would be, how > > would an attacker, ah, attack a box like that where there > > are no open ports to connect to? i don't think "deny by > i think properly configured client machines will only be the ones without open ports. otoh, servers will always have at least 1 open port. so crackers will scan the victim network weeding out the servers from the client machines and go for the servers instead. pong _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
