On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder <dan...@admin-box.com> wrote: > On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] > While all that is correct, I would also consider it "bad network > behavior" (no offense intended).
So you consider my 'reject-with' settings to be good practice? > It feels like "security through obscurity". It may hamper the > well-working of a TCP/IP network, as that relies heavily on ICMP. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! > Probably it will never be a problem for you, but it could be a problem > for a network administrator. > > Also: if you wish to scan (nmap) yourself to check your system > (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? > On a (not so) different topic: > If you're going to make your firewall more complex (more services, or > other stuff), I'd suggest to use a widely used firewall script. That is > more secure than writing your own firewall configuration, because in the > long run it will be better maintainable (and they often also do "smart > stuff(TM)" ;) > > My recommendation is "net-firewall/shorewall". It has a well balanced > abstraction/granularity-ratio, and the produced iptable-rules are still > readable :) This is considered to be my learning example. Later I will definitely consider using shorewall (learning one thing at a time). Thanks! -- Regards, Marco