Security Basics mailing list archives
Re: Iptables Clues and Advices.
From: "Anduine Crow" <anduine () hotmail com>
Date: Fri, 11 Apr 2003 11:29:49 +0000
Vic Ricker <vic () sheetz com> said:
While I personally use DROP, I can see instances where it might not be desirable. In the case where you are trying to connect to remote services that use ident (ftpd, xinetd, postgres, etc.), the use of DROP on port 113 will cause those services to wait for the timeout before allowing your connection. To be fair, my solution has always been to disable ident checks on the remote server since they are pretty much useless. :-)-Vic
I agree with that, I do use REJECT for 113, I discovered that real early on when smtp connections would take a long time to be established. Once you get some firewalling experience, it dosen't take long to determine which ports should be REJECTed or DROPped.
I only posted to this thread because I didn't agree, as someone was alluding to, that DROP was a bad practice and harmful to *legitimate* users. It all depends on your decisions and what you are comfortable with. DROP has it's uses as does REJECT.
This debate is starting to remind me of the "Tomato, tomato" thing... _________________________________________________________________Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. -------------------------------------------------------------------
Current thread:
- Re: Iptables Clues and Advices., (continued)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Iptables Clues and Advices. Bryan S. Sampsel (Apr 10)
- Re: RE: Iptables Clues and Advices. Christian Friedl (Apr 09)
- Re: Iptables Clues and Advices. Julien Royère (Apr 09)
- Re: Iptables Clues and Advices. Jeff Harris (Apr 10)
- DROP vs REJECT Re: Iptables Clues and Advices. Chris Travers (Apr 10)
- VMware & WinXP Firegoblin Postmaster (Apr 12)
- Re: Iptables Clues and Advices. Vic Ricker (Apr 10)