I think there has been a bit of loss of direction from the initial thread. programatically speaking NO services which allow traffic of any kind s/be running 'out of the box'... the fewer and smaller amount of code the more secure. i.e.,,,if it ain't running you cant attack it....common sense.... re: bellovin, cheswick, farmer, wiezste, et al... console should be how one initally accesses the box unless we are speaking of a centrally managed security enclave scenario. why take needless chances... ~piranha > Just my two cents on this: My two pennies :) > If your firewall is designed correctly, there shouldn't be any network > available services running baring SSH. If you're using IPTables as a seperate firewall then wouldn't you just want SSHD listening on the internal interface? > Because of this, if a hacker gets into your firewall I assume that > 99.9999% of the time, they'll have root access. Any hacker that could > hack into your Linux box will be able to disable any iptables rules in > a second. Hence, blocking the OUTPUT chain on a firewall does NOT > secure you against hackers. You're presuming that IPTables isn't protecting a single host. If you're using it on a desktop or a server filtering on the OUTPUT chain gives you a huge gain in security. -- "I think a church with a lightning rod shows a decided lack of confidence"
