On Fri, Sep 06, 2002 at 01:58:03PM -0500, Peter Snoblin wrote: > I would just like to point out a few things about the init script, > though. (Do note that most of these are personal preferences that stem > from an acute paranoia) I don't like leaving ident open, I don't > really think its any of your buisness who is signed onto my computer.
If you don't leave ident open, then sending mail suffers large delays as most mailservers check it. You may also have trouble signing onto some websites like hotmail.com for the same reason. If you don't want people to know who you are, a better approach is probably just to install one of the "fake identd" programs that always says you are root. > Also, I prefer to block all but the most needed ICMP(ping) stuff. Not > responding to pings makes it much harder to portscan your box, which > is generally safer. With that firewall, I would say portscans are essentially immaterial. Essentially no TCP or UDP ports are open. > For that last rule (iptables -A INPUT -j REJECT) I > prefer the DROP target, as REJECT informs the sender that its packet > was dropped, whereas DROP simply ignores it, in short making your > computer something of a blackhole. I disagree here. A drop does not make your computer a black hole, it tells the other side that you filtered the packet (notice that nmap for example will tell you that the port is "filtered"). After all if you can be pinged, you are there. Sending a icmp-port-unreachable makes the port look closed just like any other closed port. For what its worth, I used to drop packets. But particularly if you run an "open firewall" where you close selective services it just draws attention to the ports you are filtering. I might feel different on a very busy server. -- Don Bindner <[EMAIL PROTECTED]>
