From owner-cvs-all Wed Mar 21 13:26:42 2001 Delivered-To: cvs-all@freebsd.org Received: from mailgate.originative.co.uk (mailgate.originative.co.uk [62.232.68.68]) by hub.freebsd.org (Postfix) with ESMTP id EA70F37B71F; Wed, 21 Mar 2001 13:26:36 -0800 (PST) (envelope-from paul@freebsd-services.co.uk) Received: from freebsd-services.co.uk (lobster.originative.co.uk [62.232.68.81]) by mailgate.originative.co.uk (Postfix) with ESMTP id C0EA81D149; Wed, 21 Mar 2001 21:26:35 +0000 (GMT) Message-ID: <3AB91CC0.9F52628A@freebsd-services.co.uk> Date: Wed, 21 Mar 2001 21:27:28 +0000 From: Paul Richards X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Bill Fumerola , Paul Richards , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c References: <89202.985209871@critter> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Poul-Henning Kamp wrote: > > In message <3AB918CB.33EC9A98@freebsd-services.co.uk>, Paul Richards writes: > > >> If you're configuring remote machines with a default deny rule instead > >> of explcitly adding a deny rule you might want to reconsider. > > > >Explain? > > > >Configuring *any* server without a default deny rule is more foolhardy > >because there's a window of opportunity for a hacker before the rules > >are applied. > > Most of my machines have a default allow rule because the ipfw is > only there as an anti-DoS/BOFH tool... Configuring any *firewall* without a default deny rule is foolhardy then :-) Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message