Gentoo Archives: gentoo-security

From: "Thomas T. Veldhouse" <veldy@×××××.net>
To: Mickey Mullin <mickey@×××××××××.us>, gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 14:18:05
Message-Id: 004001c3d5f1$b5df97f0$d037630a@nic.target.com
In Reply to: Re: [gentoo-security] firewall suggestions? by Mickey Mullin
1 Mickey Mullin wrote:
2 > If by "firewall," you mean an application(Process ID?)-specific
3 > Internet security tool, then you may well have identified an as-yet
4 > unfulfilled need. If you only mean to imply greater security in that
5 > connection attempts to closed ports appear invisible, then iptables
6 > aready does that.
7 >
8 > In "closing" ports, one has the option - nay one is recommended - to
9 > use the "DROP" target which has the desired effect of which you speak.
10 > (Unwanted packets are simply and silently dropped upon the proverbial
11 > floor.) There are, of course, cases where using, say, "REJECT" may be
12 > prefered - most notably if one is using one's Linux box to do some
13 > true grit routing (as when using multiple Internet service
14 > providers). In those cases, if a neighboring router is trying to
15 > pass packets *through* one's area, one wants to let one's neighbor
16 > know as soon as possible
17 > that it should look elsewhere.
18 >
19 > dreamwolf
20
21 It is probably a very good idea to actually REJECT ident (113/tcp) lookups
22 rather than drop them. It is very common to have reverse ident lookups do
23 to your activity, and a DROP will cause a delay that is not needed. This
24 particular item is normal and not a security concern in and of itself. As a
25 matter of fact, it is so common, it is good to not even log it.
26
27 Tom Veldhouse
28
29
30 --
31 gentoo-security@g.o mailing list