Firewall tricks.

Bennett Todd bet at rahul.net
Fri Oct 10 07:07:42 PDT 2003


2003-10-09T17:33:46 Rob Park:
> What I'd much rather do is have the firewall intelligently know
> when to ACCEPT or DROP the packets based on whether or not the
> port is open.

Sounds like the only difference between what you want and no
iptables at all, is you don't want the port unreachables going out
for attempts to hit closed ports. If the port is open, accept the
packet, don't try and drop attempts to connect to open ports, no
actual protection.

If so, perhaps instead of trying to get a magically inspired DROP on
the inbound packet, might it be easier to just discard the outbound
port unreachables?

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-chat/attachments/20031010/d9c2936f/attachment.sig>


More information about the lfs-chat mailing list