Re: Iptables Clues and Advices.

["Anduine Crow" <anduine () hotmail com>]

Vic Ricker <vic () sheetz com> said:

> While I personally use DROP, I can see instances where it might not be 
> desirable.  In the case where you are trying to connect to remote services 
> that use ident (ftpd, xinetd, postgres, etc.), the use of DROP on port 113 
> will cause those services to wait for the timeout before allowing your 
> connection.   To be fair, my solution has always been to disable ident 
> checks on the remote server since they are pretty much useless. :-)
>
> -Vic

I agree with that, I do use REJECT for 113, I discovered that real early on 
when smtp connections would take a long time to be established.  Once you 
get some firewalling experience, it dosen't take long to determine which 
ports should be REJECTed or DROPped.

I only posted to this thread because I didn't agree, as someone was alluding 
to, that DROP was a bad practice and harmful to *legitimate* users.  It all 
depends on your decisions and what you are comfortable with.  DROP has it's 
uses as does REJECT.

This debate is starting to remind me of the "Tomato, tomato" thing...




_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail


-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------