Date: Wed, 21 Mar 2001 21:27:28 +0000 From: Paul Richards <paul@freebsd-services.co.uk> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Bill Fumerola <billf@mu.org>, Paul Richards <paul@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <3AB91CC0.9F52628A@freebsd-services.co.uk> References: <89202.985209871@critter>
next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote: > > In message <3AB918CB.33EC9A98@freebsd-services.co.uk>, Paul Richards writes: > > >> If you're configuring remote machines with a default deny rule instead > >> of explcitly adding a deny rule you might want to reconsider. > > > >Explain? > > > >Configuring *any* server without a default deny rule is more foolhardy > >because there's a window of opportunity for a hacker before the rules > >are applied. > > Most of my machines have a default allow rule because the ipfw is > only there as an anti-DoS/BOFH tool... Configuring any *firewall* without a default deny rule is foolhardy then :-) Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB91CC0.9F52628A>