-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 30 Nov 2002 20:18:24 -0800 (PST), David Durst wrote: > > On the contrary, you leave everything open and try to close specific > > ports and protocols. This is error-prone because it is easy to > > overlook something unless you place catch-all DROP-rules at the end > > of every chain. But judging from your comment on passive FTP, it > > seems you don't. > > Your point is definately valid, yes you do have to use a catch all or > catch most - but then again you don't have to use this catch all to > drop packets If you don't drop anything at the end of a packet filter chain, everything that makes it till there will be _accepted_. That is not the case with a default policy of DROP. > and there are things that you can do w/ a catch all in > IpTables that you can't do w/ a default policy. Huh?! I doubt that. > Here is the insecurity of a basic DROP all that I see, many > administrators feel in sufficent to just DROP the packet. Welll guess > what if you drop the packet it still comes up in different types of > port scans hence a REDIRECT to VAPOR wouldn't return anything and it > would also irritate the hell out of those port scanning your machine > :), yes you could achieve the desired affect w/ a default DROP - both > ways are possible to produce good FW's. Uhm, either I don't understand this bit above or please explain where you see a difference between DROP and what you call a "REDIRECT to VAPOR". I start to believe that you haven't understood what a "default policy" is and that a default policy of DROP does nothing else than adding safety. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE96Yze0iMVcrivHFQRAlMyAJ46QuQb11cXgmfNUZJltkshuEfjdQCeLuP8 Q/dZt+sr0XxEcNmalwAzT6M= =TtOi -----END PGP SIGNATURE----- -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
