Date: Wed, 21 Mar 2001 22:24:31 +0100 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Paul Richards <paul@freebsd-services.co.uk> Cc: Bill Fumerola <billf@mu.org>, Paul Richards <paul@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <89202.985209871@critter> In-Reply-To: Your message of "Wed, 21 Mar 2001 21:10:35 GMT." <3AB918CB.33EC9A98@freebsd-services.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <3AB918CB.33EC9A98@freebsd-services.co.uk>, Paul Richards writes: >> If you're configuring remote machines with a default deny rule instead >> of explcitly adding a deny rule you might want to reconsider. > >Explain? > >Configuring *any* server without a default deny rule is more foolhardy >because there's a window of opportunity for a hacker before the rules >are applied. Most of my machines have a default allow rule because the ipfw is only there as an anti-DoS/BOFH tool... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?89202.985209871>