On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: > I would also get rid of the REJECT targets. It's better to DROP > instead. If someone is scanning the network, and you start sending icmp > rejections back, they will know you are there and may try other > techniques to break through your defenses, but if you DROP and send > nothing back, it will be much harder for them to see you at all. While all that is correct, I would also consider it "bad network behavior" (no offense intended).
It feels like "security through obscurity". It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. Probably it will never be a problem for you, but it could be a problem for a network administrator. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) On a (not so) different topic: If you're going to make your firewall more complex (more services, or other stuff), I'd suggest to use a widely used firewall script. That is more secure than writing your own firewall configuration, because in the long run it will be better maintainable (and they often also do "smart stuff(TM)" ;) My recommendation is "net-firewall/shorewall". It has a well balanced abstraction/granularity-ratio, and the produced iptable-rules are still readable :) Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
signature.asc
Description: This is a digitally signed message part
