About my Firewall Settings - I would like an opinion
Sam Kuper
sam.kuper at uclmail.net
Mon Nov 10 19:43:27 UTC 2008
2008/11/10 Sam Kuper <sam.kuper at uclmail.net>
> By using REJECT instead of DROP, you have no stealth. This means you can be
> port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities,
> etc.
>
That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any unpatched
flaws in the app servicing that inbound traffic could expose your system to
attack.
Also, by REJECTing rather than DROPping, you might be more vulnerable to DoS
attacks.
Consider using a default (LOG and) DROP policy instead. Michael Rash's site
(www.cipherdyne.org) has some good resources for learning about this and
implementing it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20081110/f843fef8/attachment.html>
More information about the ubuntu-users
mailing list