List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
* Mark Hurst <mark@...> 8. Jan 04
> It's much better to have a firewall than just have ports not open. Even
> though a port is not open it can reveal the presence of your machine by
> the manner in which the IP stack responds to a connection attempt. Using a
> firewall you can drop those packets, making all your closed ports
Sorry, but this is completely nonsense. You should always use the
REJECT target. To simply drop pakets is contrary the standards and
hampers net traffic. If you don't want to talk to me, say so. Simply
remain silent and let me wait is very unpolite.
And in fact you gain no security in 'hiding' your machine by dropping
pakets. If somebody 'tests' your machine and it's off the net, he will
get a ICMP host unreachable from your gataway. If he doesn't get any
answer, he knows, that it is online and there is an braindead root in
front of this machine, knowing nothing about IP, but playing with his
filter, so let's see, if it's mis-configured box maybe has an telnet
open or any other broken services he wasn't able to unbound from
DROP is rarely useful to remove damaged pakets or in combination with
the -m --limit condition to prevent some DoS atacks or.
Thou shallth not use thy DROP targeth (mostly),
email@example.com mailing list