On Thu, 17 Aug 2006 12:34:51 -0400, "Amadeus W. M." <amadeus84@xxxxxxxxxxxxxx> opined: > On Thu, 17 Aug 2006 11:13:32 -0400, David Cary Hart wrote: > > > And your point is? I just wanted to provide a configuration example because a number of people have had some difficulty in configuring or running swatch. > > I'm not saying dynamic firewalls do not do their jobs. Of course > they do. > > I'm saying that you have to be careful with them, because they > can do more than intended. > Indeed. A few years ago, I managed to lock myself out of a local server. Since I now have no physical access to the machine (it's a hosted dedicated server) I have to be excruciatingly careful. > Let alone the fact, that by inserting a firewall rule each time > someone knocks on your door, you'll end up with a mile long > firewall. Do you think that list will ever be long enough? Well, I am not adding IPs gratuitously. This was the result of a widely distributed virus. It has a unique request "signature" in the logs so the firewalling yields NO false positives. Yes, the list is long. As soon as I secure some CGI, I can safely remove these IPs. > > The better way is to build a minimal firewall that drops > EVERYTHING by default, then punch holes in it ONLY for the > machines/domains that are supposed to connect to your host. > (Although even this policy is not fool proof: any of the legit > clients could be compromised). > I must provide wide web access to service blacklist removal requests. Everything is a compromise. That said, I DID manage to saw off the limb I was standing on by over-tweaking the firewall this morning. For an hour or so NOBODY could connect to the web server. Oh what a nitwit I can be when I try real hard -;) -- Do NOT Send Email to <spam trap> Fedora@TQMcube,com Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list