On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote:
> I would also get rid of the REJECT targets.  It's better to DROP
> instead.  If someone is scanning the network, and you start sending icmp
> rejections back, they will know you are there and may try other
> techniques to break through your defenses, but if you DROP and send
> nothing back, it will be much harder for them to see you at all.
While all that is correct, I would also consider it "bad network
behavior" (no offense intended).

It feels like "security through obscurity". It may hamper the
well-working of a TCP/IP network, as that relies heavily on ICMP.

Probably it will never be a problem for you, but it could be a problem
for a network administrator.

Also: if you wish to scan (nmap) yourself to check your system
(configuration), you'll wish for REJECT instead of DROP :)

On a (not so) different topic:
If you're going to make your firewall more complex (more services, or
other stuff), I'd suggest to use a widely used firewall script. That is
more secure than writing your own firewall configuration, because in the
long run it will be better maintainable (and they often also do "smart
stuff(TM)" ;)

My recommendation is "net-firewall/shorewall". It has a well balanced
abstraction/granularity-ratio, and the produced iptable-rules are still
readable :)

Bye,
Daniel

-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887