From owner-cvs-all  Wed Mar 21 13:24:49 2001
Delivered-To: cvs-all@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
	by hub.freebsd.org (Postfix) with ESMTP
	id D248B37B71C; Wed, 21 Mar 2001 13:24:43 -0800 (PST)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter (localhost [127.0.0.1])
	by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2LLOV189204;
	Wed, 21 Mar 2001 22:24:31 +0100 (CET)
	(envelope-from phk@critter.freebsd.dk)
To: Paul Richards <paul@freebsd-services.co.uk>
Cc: Bill Fumerola <billf@mu.org>, Paul Richards <paul@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet ip_fw.c 
In-Reply-To: Your message of "Wed, 21 Mar 2001 21:10:35 GMT."
             <3AB918CB.33EC9A98@freebsd-services.co.uk> 
Date: Wed, 21 Mar 2001 22:24:31 +0100
Message-ID: <89202.985209871@critter>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <3AB918CB.33EC9A98@freebsd-services.co.uk>, Paul Richards writes:

>> If you're configuring remote machines with a default deny rule instead
>> of explcitly adding a deny rule you might want to reconsider.
>
>Explain?
>
>Configuring *any* server without a default deny rule is more foolhardy
>because there's a window of opportunity for a hacker before the rules
>are applied.

Most of my machines have a default allow rule because the ipfw is
only there as an anti-DoS/BOFH tool...

--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message