| 1 |
Quoting "Thomas T. Veldhouse" <veldy@×××××.net>: |
| 2 |
> > In "closing" ports, one has the option - nay one is recommended - to |
| 3 |
> > use the "DROP" target which has the desired effect of which you speak. |
| 4 |
> |
| 5 |
> It is probably a very good idea to actually REJECT ident (113/tcp) lookups |
| 6 |
> rather than drop them. It is very common to have reverse ident lookups do |
| 7 |
> to your activity, and a DROP will cause a delay that is not needed. This |
| 8 |
> particular item is normal and not a security concern in and of itself. As a |
| 9 |
> matter of fact, it is so common, it is good to not even log it. |
| 10 |
|
| 11 |
Good advice. I will heed it. |
| 12 |
|
| 13 |
So, accept 113/tcp and ICMP packets. Anything else? Oh, a judicious use of |
| 14 |
"--limit" may also be a good idea. |
| 15 |
|
| 16 |
dreamwolf |
| 17 |
|
| 18 |
-- |
| 19 |
gentoo-security@g.o mailing list |
Archives