On Sun, Jul 22, 2012 at 11:53 PM, Brian <a...@cityscape.co.uk> wrote: > On Sun 22 Jul 2012 at 22:01:50 +0800, lina wrote: > >> On Sun, Jul 22, 2012 at 7:32 PM, Brian <a...@cityscape.co.uk> wrote: >> > >> > Heaven above knows why you need a firewall. These services are quite >> > capable of getting on with life without iptables being involved. So are >> > you. >> >> Just today one website I cared about failed to open, certainly it's >> under attack. >> I don't know what other people are capable of, I feel they are capable >> of doing lots of things. >> Frankly speaking I don't have much energy/channel to arm myself some >> intense knowledge to meet some potential defense requirement >> (sometimes I read something, but mainly to forget later.). >> so the only way I can do now is to understand something very >> basic.gradually and patiently, perhaps 10 years later, >> and I don't have some strong security feelings, if something wrong >> with the laptop, I guess I will unavoidably freak out and at that time >> definitely some days will waste. > > Let's take a look at what you are doing. I'll simplify it a bit but > hopefully not too much as to distort your intentions. > > 1. You have two tcp services which you offer on the network, ssh and a > webserver. Other services are available to localhost only. So the > only way the outside can communicate with your machine is through > ports 22 and 80. > > 2. You use iptables to reject all connections. This effectively means > the services on ports 22 and 80 become unavailable, which does not > suit you. > > 3. You now poke two holes in the firewall to reverse what you did in 2. > > Now you can consider what you have achieved. Sticking at 1. gives you > what you have at 3. In what way have improved security on the machine?
so now is okay?! (if I catch correctly, this firewall actually is making no big differences here?) Thanks, > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120722155344.GE7631@desktop > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJmmARcCDdR2L4fkk6=c7r_14d4qqoqrwvak2aj0gg_j...@mail.gmail.com