On Thu, Aug 19, 2004 at 10:14:48AM -0700, Daniel Chemko wrote: > Hudson Delbert J Contr 61 CS/SCBN wrote: > > this should be a basic rule of netsec 101 ... > > > > one should have to 'turn' on any allowed traffic out of the box. > > > > i.e......the firewall should not allow ANY traffic by default until > > specifically > > TOLD TO DO SO BY THE ADMIN. > > > > this is a good thing. > Just my two cents on this: My two pennies :) > If your firewall is designed correctly, there shouldn't be any network > available services running baring SSH. If you're using IPTables as a seperate firewall then wouldn't you just want SSHD listening on the internal interface? > Because of this, if a hacker gets into your firewall I assume that > 99.9999% of the time, they'll have root access. Any hacker that could > hack into your Linux box will be able to disable any iptables rules in > a second. Hence, blocking the OUTPUT chain on a firewall does NOT > secure you against hackers. You're presuming that IPTables isn't protecting a single host. If you're using it on a desktop or a server filtering on the OUTPUT chain gives you a huge gain in security. -- "I think a church with a lightning rod shows a decided lack of confidence"
