Allegedly, on or about 12 February 2016, Rick Stevens sent: > Carrying that further, set up the firewall to block all incoming > traffic initially and use "DROP" as the target--NOT "REJECT". The > reason to use DROP is that "REJECT" actually returns a response to a > probe which essentially says "Yeah, there's a machine here, but I'm > not interested in you". That makes you a target for DDOS or > script-kiddie break-in attempts. "DROP" just drops the packets with no > response so your machine appears to not be there at all. That's a bit of a furphy. You're a target whether you appear to be there, or not. Everyone gets hit, scattergun approach. And you often find that there's still some response to some kind of external probe, even when you think you've firewalled yourself up to the hilt (e.g. ISPs can usually identify what's connected to them, though I bamboozled them when they couldn't detect my Fedora running laptop). Equipment tends to have fingerprints of some kind. And many have an open configuration port for the ISP to mess with. There's a school of thought, since personal firewalling became a thing, that it has always been better to reject. Accidental connections to your system get a proper error message, and they may stop banging away at the wrong system, instead of trying to make connection. It only takes some admin to get one number wrong in their addressing to accidentally connect to your system. I notice that you've only mentioned IPv4 rules. If you have any IPv6 connectivity, you want to firewall that, too. I'll make a guess that when IPv6 does actually hit big time (hardly anybody supports it here, still; and my new ISP had it, then took it away), that it's going to bring a whole slew of new firewall nightmares, as you don't have the simple/easy NAT inside/outside demarcation point that IPv4 gave most people. Be cautious about blocking ICMP, you can cause some major breakages with that. That covers the communications about communications. And I saw NTP being mentioned. There's a chance your router may have a time server, if you didn't want to dedicate a box to it. Or you could simply allow that protocol through the firewall, it's a low traffic one. Possibly your ISP has one, and that (having the exact same time as them) can be useful if you ever make bug reports to them. While some people place a low priority on using a time service, I find it a godsend to never have to set computer clocks again. I just wish I could get automatic wall clocks, too, without having to go to the expense of GPS ones (still over-priced, and the only option in my country without any radio time servers, any more). -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. If you don't understand how e-mail threading works, then follow the instructions given by those who do, and don't argue with them. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
