open ports

[Alexander Skwar]

· Gabriel M Dragffy <dragffy at yandex.ru>:

> If you want your machine to be invisible by dropping all packets
> instead of rekecting them,

By doing so, your machine is *VERY* visible. There's no such
thing as an invisible machine on the Internet.

Dropping packages is close to never a good suggestion. Rejecting
packages might be worthwhile, though. But for this, a packet
filter isn't needed.

> I recommend firehol. Install it and edit 
> firehol.conf. You probably want something like:
> 
> interface eth+ internet
>       client all accept
>       protection strong 10/sec 10
>       policy deny
>       server shh accept
> 
> and that's it, it'll keep you ssh open to the outside world.

Hm - the same can be gained by not opening any ports in the
first place. And the less software used, the better.

Alexander Skwar
-- 
The wonderful thing about a dancing bear is not how well he dances,
but that he dances at all.