On Sun, Apr 22, 2007 at 10:38:42PM -0400, Jim Hyslop wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Franck Joncourt wrote: > > I do not think the same way you do. If you are not running any servers, > > except ssh > > I never said that. I said that ssh is the only port forwarded from the > firewall to the machine. The machine is used internally for various > services (intranet, CVS, DHCP, and a few others). > Hmmmm... does that mean I should really set up two machines, one in a > DMZ for my ssh services, and the other for my internal services?
It is up to you ! I should say I am a bit paranoiac about security :p! > > ? I control traffic for the OUTPUT chain to prevent some backdoors, if > > there is one, from causing damages to my computer by bypassing normal > > authentication. > > I think I see where you're coming from. I should set up my input and > output chains to deny everything by default, and explicitly allow > outgoing connections on whatever services the machine needs or provides. > Is that what you're getting at? Yes, this is exactly what I was thinking of when I wrote the first email. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
signature.asc
Description: Digital signature
