Gentoo Archives: gentoo-security

From: Frank Gruellich <frank@××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 10:46:08
In Reply to: Re: [gentoo-security] firewall suggestions? by Roman Kennke
* Roman Kennke <roman@××××××××××××.com>  9. Jan 04
> > From the technical aspect not to answer to a request is not the > > right behaviour of a device conform to RFCs. > What about a compromise like this: In general allow RFC-compliant > traffic, but thightly control REJECTs and some ICMP traffic with --limit > and DROP the rest, this should help alot against DoS (if this is at all > possible with REJECTs).
You get my full acknowledge for this. More general I would restate, that you MUST[1] behave conform to RFCs as long as your communication partner does. If (s)he offends standards (say: repetitive ignoring ICMP errors) you MAY[1] leave standards for this host, too. Can we reach this agreement? Regards, Frank. ===footnote=== [1] in the way another RFC defines this word -- Sigmentation fault -- gentoo-security@g.o mailing list