It's my understanding (and experience) that a Debian system by default
is vulnerable to SYN flooding (at least when running services) and other
such mischeif. I was curious as to why tcp_syncookies (and similar
things) are not enabled by default.
Many distros (RPM-based mostly from my
On Jan 23, 2008 4:19 PM, William Twomey [EMAIL PROTECTED] wrote:
One solution could be to have a folder called /etc/security/iptables
that contains files that get passed to iptables at startup (in the same
way /etc/rc2.d gets read in numeric order). So you could have files like
22ssh, 23ftp,
--On January 23, 2008 9:19:01 AM -0600 William Twomey
[EMAIL PROTECTED] wrote:
It's my understanding (and experience) that a Debian system by default is
vulnerable to SYN flooding (at least when running services) and other
such mischeif. I was curious as to why tcp_syncookies (and similar
On Wed, Jan 23, 2008 at 08:29:25AM -0700, Michael Loftis wrote:
It's better to leave the service disabled, or even better, completely
uninstalled from a security standpoint, and from a DoS standpoint as well.
The Linux kernel isn't very efficient at processing firewall rules. Newer
Rolf Kutz wrote:
On 23/01/08 08:29 -0700, Michael Loftis wrote:
It's better to leave the service disabled, or even better, completely
uninstalled from a security standpoint, and from a DoS standpoint as
well. The Linux kernel isn't very efficient at processing firewall
rules. Newer
I
On Wed, Jan 23, 2008 at 09:19:01AM -0600, William Twomey wrote:
One solution could be to have a folder called /etc/security/iptables
that contains files that get passed to iptables at startup (in the same
way /etc/rc2.d gets read in numeric order). So you could have files like
22ssh, 23ftp,
Michael Loftis wrote:
[snip]
It's better to leave the service disabled, or even better, completely
uninstalled from a security standpoint, and from a DoS standpoint as
well. The Linux kernel isn't very efficient at processing firewall
rules. Newer kernels might be though (I honestly haven't
William Twomey wrote:
Debian haven't any open services by default, except portmapper and
behind portmapper aren't any services. So no need for host firewall.
But isn't it reasonable to assume that most people will be installing
services? Even a desktop user is likely to enable SSH and maybe
If this is needed/wanted to Debian, no problems, but remember obscure
isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy
made and maintain firewall/s at Linux and all of these are regular
Debian packages. That is true at there should be more information
about
On 23/01/08 18:48 +0200, Riku Valli wrote:
Debian haven't any open services by default, except portmapper and behind
portmapper aren't any services. So no need for host firewall.
Ack. I didn't want to argue pro a default
firewall.
regards, Rolf
--
...about the greatest democrazy in the
William Twomey wrote:
If this is needed/wanted to Debian, no problems, but remember obscure
isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy
made and maintain firewall/s at Linux and all of these are regular
Debian packages. That is true at there should be
William Twomey wrote:
It's my understanding (and experience) that a Debian system by default
is vulnerable to SYN flooding (at least when running services) and
other such mischeif. I was curious as to why tcp_syncookies (and
similar things) are not enabled by default.
Sorry forgot that.
* Ondrej Zajicek:
You could also have an 'ENABLED' variable like some files in
/etc/default have (so that ports wouldn't be opened by default; the
user would have to manually enable them for the port to be opened).
Better way is just not start that daemon.
The daemon might have been
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I believe Debian's method of handling iptables is perfect. if-up.d and its
counterparts provide a great means for scripting complex firewall sets.
For example, I have written a perl script that parses a custom config file
that defines certain IPs and
Am Wednesday, den 23 January hub Florian Weimer folgendes in die Tasten:
* Ondrej Zajicek:
You could also have an 'ENABLED' variable like some files in
/etc/default have (so that ports wouldn't be opened by default; the
user would have to manually enable them for the port to be opened).
Florian Weimer [EMAIL PROTECTED] writes:
The daemon might have been installed by a package dependency, more or
less by accident. Debian should have a policy that all daemons bind to
the loopback interface by default, but as long as this is not the case,
I can understand why people put paket
16 matches
Mail list logo
