List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Mark Hurst wrote:
> It's much better to have a firewall than just have ports not open. Even
> though a port is not open it can reveal the presence of your machine by
> the manner in which the IP stack responds to a connection attempt. Using a
> firewall you can drop those packets, making all your closed ports
If by "firewall," you mean an application(Process ID?)-specific Internet
security tool, then you may well have identified an as-yet unfulfilled
need. If you only mean to imply greater security in that connection
attempts to closed ports appear invisible, then iptables aready does that.
In "closing" ports, one has the option - nay one is recommended - to use
the "DROP" target which has the desired effect of which you speak.
(Unwanted packets are simply and silently dropped upon the proverbial
floor.) There are, of course, cases where using, say, "REJECT" may be
prefered - most notably if one is using one's Linux box to do some true
grit routing (as when using multiple Internet service providers). In
those cases, if a neighboring router is trying to pass packets *through*
one's area, one wants to let one's neighbor know as soon as possible
that it should look elsewhere.
email@example.com mailing list