About my Firewall Settings - I would like an opinion

Manuel Gomez mgdpz1 at gmail.com
Mon Nov 10 20:37:58 UTC 2008

Sam Kuper escribió:

> 2008/11/10 Sam Kuper <sam.kuper at uclmail.net 
> <mailto:sam.kuper at uclmail.net>>
>     By using REJECT instead of DROP, you have no stealth. This means
>     you can be port-scanned to look for weaknesses, e.g. unpatched
>     OpenSSH vulnerabilities, etc. 
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be 
> significant. If you're allowing and inbound traffic, though, any 
> unpatched flaws in the app servicing that inbound traffic could expose 
> your system to attack.
> Also, by REJECTing rather than DROPping, you might be more vulnerable 
> to DoS attacks.
> Consider using a default (LOG and) DROP policy instead. Michael Rash's 
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good 
> resources for learning about this and implementing it.
Ok, i have set default policy in DROP. What  more could I do?

Thank you very much.

More information about the ubuntu-users mailing list