List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Mickey Mullin wrote:
> If by "firewall," you mean an application(Process ID?)-specific
> Internet security tool, then you may well have identified an as-yet
> unfulfilled need. If you only mean to imply greater security in that
> connection attempts to closed ports appear invisible, then iptables
> aready does that.
> In "closing" ports, one has the option - nay one is recommended - to
> use the "DROP" target which has the desired effect of which you speak.
> (Unwanted packets are simply and silently dropped upon the proverbial
> floor.) There are, of course, cases where using, say, "REJECT" may be
> prefered - most notably if one is using one's Linux box to do some
> true grit routing (as when using multiple Internet service
> providers). In those cases, if a neighboring router is trying to
> pass packets *through* one's area, one wants to let one's neighbor
> know as soon as possible
> that it should look elsewhere.
It is probably a very good idea to actually REJECT ident (113/tcp) lookups
rather than drop them. It is very common to have reverse ident lookups do
to your activity, and a DROP will cause a delay that is not needed. This
particular item is normal and not a security concern in and of itself. As a
matter of fact, it is so common, it is good to not even log it.
email@example.com mailing list