On 02/12/2016 03:34 PM, Rick Stevens wrote:
On 02/12/2016 01:01 PM, Joe Zeff wrote:
On 02/12/2016 12:47 PM, Bob Goodwin wrote:
Ok, I'll try adding that. Joe brings up the need to keep a route open to
NTP, that presents another concern.
Either that, or set up a local NTP server on a box that's not blocked.
Let that box sync to the rest of the net and have your LAN all sync to
it.
Carrying that further, set up the firewall to block all incoming traffic
initially and use "DROP" as the target--NOT "REJECT". The reason to use
DROP is that "REJECT" actually returns a response to a probe which
essentially says "Yeah, there's a machine here, but I'm not interested
in you". That makes you a target for DDOS or script-kiddie break-in
attempts. "DROP" just drops the packets with no response so your machine
appears to not be there at all.
The lack of response means, "There's a machine here that is trying
not to be seen." If there were really no machine at that address,
the upstream router would have sent back an ICMP "No route to host"
response. Yes, I do DROP most of those incoming probes, but it's
just to avoid the effort to send a packet that would count, albeit
minimally, against my usage cap. I'm not kidding myself that it
makes me more "invisible".
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
