Thanks to everyone who answered - it was very enlightening.
For the moment, I'm using a set of rules that block all TCP/UDP connections
on ports 1023 and below as well as all TCP SYN connections coming from the
external interface. I like the idea of blocking all incoming UDP except for
the DNS port, but since I'm using masquerading, I don't know a priori what
port I'd need to open - so I'm hoping that the 1023 and below block will be
sufficient.
I'll also be adding a rule to specifically reject all ICMP packets except
for destination-unreachable.
One last question - is it better to use DENY or REJECT?
Thanks!
--
Manuel A. McLure - Unify Corp. Technical Support <[EMAIL PROTECTED]>
Vah! Denuone Latine loquebar? Me ineptum. Interdum modo elabitur.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
