1 |
Quoting "Thomas T. Veldhouse" <veldy@×××××.net>: |
2 |
> > In "closing" ports, one has the option - nay one is recommended - to |
3 |
> > use the "DROP" target which has the desired effect of which you speak. |
4 |
> |
5 |
> It is probably a very good idea to actually REJECT ident (113/tcp) lookups |
6 |
> rather than drop them. It is very common to have reverse ident lookups do |
7 |
> to your activity, and a DROP will cause a delay that is not needed. This |
8 |
> particular item is normal and not a security concern in and of itself. As a |
9 |
> matter of fact, it is so common, it is good to not even log it. |
10 |
|
11 |
Good advice. I will heed it. |
12 |
|
13 |
So, accept 113/tcp and ICMP packets. Anything else? Oh, a judicious use of |
14 |
"--limit" may also be a good idea. |
15 |
|
16 |
dreamwolf |
17 |
|
18 |
-- |
19 |
gentoo-security@g.o mailing list |