Re: Iptables Clues and Advices.

["Salvatore Poliandro" <jello () vanished net>]

Howdy,
In my past I have used a combo of DROP and REJECT.  I Use DROP on the ports
that NSS looks for valid servers (tcp ports 21, 80 ; icmp ping; ect) and
REJECT on the High ports. My firewall is constantly being tweaked and I have
not had a problem with an attack yet.  Its successfully combated against a
slew of DDoS attacks, and remains hidden from a lot of NSS's.

Sal


> Hi,
>
> > For all the folks who illusion that DROP is more secure than REJECT, I
> > submit the following:
> >
> > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
>
> I'm not agreeing or disagreeing with you right now, but I don't think
> I'd use this as proof that REJECT is a better option than DROP.  I
> think the statements made on that web page need to be backed up
> with some examples and proof.  Anyone can theorize what some
> scanners can and can't do and how they would react to certain
> firewall filtering rules.
>
> Steve
>
> -------------------------------------------------------------------
> Is SPAM over-loading your e-mail server, disk space or bandwidth?
> SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> protection.
> http://www.securityfocus.com/SurfControl-security-basics2
> Download your free fully functional trial, complete with 30-days of free
technical support.
> Stop SPAM before it stops you.
> -------------------------------------------------------------------


-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------