On Mon, Jun 03, 2002 at 07:13:17AM -0500, Matthew Hellman wrote: > >Looks good. The only other thing I'd do is change your default OUTPUT >policy to DROP and add this: >iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > >There was a recent bug in the iptables code that had some security >implications (information disclosure), but I don't recall the details at the >moment. The suggestion was to drop INVALID output, which this does.
I think I heard about that, disclosing LAN IPs? I didn't really pay attention at the time, thanks, it's fixed now. // George -- GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229 Security Services, Web, Mail, mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george
