From: Daniel Troeder <daniel@admin-box.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Is this firewall safe?
Date: Fri, 24 Apr 2009 21:38:41 +0200 [thread overview]
Message-ID: <1240601921.13872.131.camel@mayo.local> (raw)
In-Reply-To: <93d30e950904241140u4b671695l2e7a60a427388491@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1472 bytes --]
On Fri, 2009-04-24 at 18:40 +0000, Marco wrote:
> On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder <daniel@admin-box.com> wrote:
> > On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote:
> [...]
> > While all that is correct, I would also consider it "bad network
> > behavior" (no offense intended).
>
> So you consider my 'reject-with' settings to be good practice?
Yes :)
> > It feels like "security through obscurity". It may hamper the
> > well-working of a TCP/IP network, as that relies heavily on ICMP.
>
> I was not really sure how to configure ICMP (ping) correctly. Any
> input appreciated!
That is really difficult, because ICMP is a family of lots of protocols,
from which ping is just one. Others are important too, like telling
routers/hosts about network congestion, and so on... I don't feel
competent enough to give directions. I do always allow ping, as this is
needed in a server environment to check for uptime, but your case may be
different.
> > Also: if you wish to scan (nmap) yourself to check your system
> > (configuration), you'll wish for REJECT instead of DROP :)
>
> You mean as the default policy?
Yes, and also everywhere you use DROP. It's just, that you'll have to
wait less for timeouts, when connecting to a closed port.
If you decide to go with DROP, then you could make it globally
switchable in your script, to change between testing and production
environment/situation.
Bye,
Daniel
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2009-04-24 19:38 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-24 15:28 [gentoo-user] Is this firewall safe? Marco
2009-04-24 16:59 ` Eric Martin
2009-04-24 17:53 ` Marco
2009-04-27 19:35 ` Eric Martin
2009-04-24 17:00 ` Chris Frederick
2009-04-24 17:05 ` Hazen Valliant-Saunders
2009-04-24 18:20 ` Marco
2009-04-24 17:23 ` Daniel Troeder
2009-04-24 18:40 ` Marco
2009-04-24 19:38 ` Daniel Troeder [this message]
2009-04-24 21:28 ` Chris Frederick
2009-04-27 18:56 ` Daniel Troeder
2009-04-27 20:03 ` Alan McKinnon
2009-04-24 18:18 ` Marco
2009-04-24 18:26 ` Marco
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1240601921.13872.131.camel@mayo.local \
--to=daniel@admin-box.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox