1 |
Mickey Mullin wrote: |
2 |
> If by "firewall," you mean an application(Process ID?)-specific |
3 |
> Internet security tool, then you may well have identified an as-yet |
4 |
> unfulfilled need. If you only mean to imply greater security in that |
5 |
> connection attempts to closed ports appear invisible, then iptables |
6 |
> aready does that. |
7 |
> |
8 |
> In "closing" ports, one has the option - nay one is recommended - to |
9 |
> use the "DROP" target which has the desired effect of which you speak. |
10 |
> (Unwanted packets are simply and silently dropped upon the proverbial |
11 |
> floor.) There are, of course, cases where using, say, "REJECT" may be |
12 |
> prefered - most notably if one is using one's Linux box to do some |
13 |
> true grit routing (as when using multiple Internet service |
14 |
> providers). In those cases, if a neighboring router is trying to |
15 |
> pass packets *through* one's area, one wants to let one's neighbor |
16 |
> know as soon as possible |
17 |
> that it should look elsewhere. |
18 |
> |
19 |
> dreamwolf |
20 |
|
21 |
It is probably a very good idea to actually REJECT ident (113/tcp) lookups |
22 |
rather than drop them. It is very common to have reverse ident lookups do |
23 |
to your activity, and a DROP will cause a delay that is not needed. This |
24 |
particular item is normal and not a security concern in and of itself. As a |
25 |
matter of fact, it is so common, it is good to not even log it. |
26 |
|
27 |
Tom Veldhouse |
28 |
|
29 |
|
30 |
-- |
31 |
gentoo-security@g.o mailing list |