This is my setup as well. drop all unwanted packets and rej ident
On Wed, Jul 02, 2003 at 12:45:10AM +1000, Malcolm V wrote: > On Mon, 2003-06-30 at 11:56, Alan L Tyree wrote: > <snipped> > > I would be interested in hearing opinions. I have everything possible > > set to "drop" - influenced by the scan sites such as GRC and Sygate. > > They seem to imply that dropping is better than rejecting. Bering > > defaults had everything dropped except for the IDENT port. > > I drop everything, but I made the exception for the IDENT port, but only > for the mail servers I pop. Some mail servers attempts an ident when a > POP session is started, and dropping this attempt means waiting for the > query to timeout, rejecting it ensures the POP session continues > promptly. > > Poorly made port scanners will also be delayed by dropping as they must > timeout each port connection, if each connection is rejected the scan > can be done much faster. > > Cheers, > Malcolm V. > > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
