Gentoo Archives: gentoo-security

From: "Thomas T. Veldhouse" <veldy@×××××.net>
To: Mickey Mullin <mickey@×××××××××.us>, gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 14:18:05
Message-Id: 004001c3d5f1$b5df97f0$d037630a@nic.target.com
In Reply to: Re: [gentoo-security] firewall suggestions? by Mickey Mullin
Mickey Mullin wrote:
> If by "firewall," you mean an application(Process ID?)-specific > Internet security tool, then you may well have identified an as-yet > unfulfilled need. If you only mean to imply greater security in that > connection attempts to closed ports appear invisible, then iptables > aready does that. > > In "closing" ports, one has the option - nay one is recommended - to > use the "DROP" target which has the desired effect of which you speak. > (Unwanted packets are simply and silently dropped upon the proverbial > floor.) There are, of course, cases where using, say, "REJECT" may be > prefered - most notably if one is using one's Linux box to do some > true grit routing (as when using multiple Internet service > providers). In those cases, if a neighboring router is trying to > pass packets *through* one's area, one wants to let one's neighbor > know as soon as possible > that it should look elsewhere. > > dreamwolf
It is probably a very good idea to actually REJECT ident (113/tcp) lookups rather than drop them. It is very common to have reverse ident lookups do to your activity, and a DROP will cause a delay that is not needed. This particular item is normal and not a security concern in and of itself. As a matter of fact, it is so common, it is good to not even log it. Tom Veldhouse -- gentoo-security@g.o mailing list