> On the contrary, you leave everything open and try to close specific > ports and protocols. This is error-prone because it is easy to > overlook something unless you place catch-all DROP-rules at the end of > every chain. But judging from your comment on passive FTP, it > seems you don't. Your point is definately valid, yes you do have to use a catch all or catch most - but then again you don't have to use this catch all to drop packets and there are things that you can do w/ a catch all in IpTables that you can't do w/ a default policy. Here is the insecurity of a basic DROP all that I see, many administrators feel in sufficent to just DROP the packet. Welll guess what if you drop the packet it still comes up in different types of port scans hence a REDIRECT to VAPOR wouldn't return anything and it would also irritate the hell out of those port scanning your machine :), yes you could achieve the desired affect w/ a default DROP - both ways are possible to produce good FW's. And yes I do understand you point about missing something. As believe I had said before DROP & ACCEPT default are both valid, and maybe my arg. about resources is invalid but so be it, my FW is fine :) -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
