From owner-freebsd-questions@FreeBSD.ORG Mon Feb 23 01:04:11 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B81710656DF for ; Mon, 23 Feb 2009 01:04:11 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id C0A008FC1C for ; Mon, 23 Feb 2009 01:04:10 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: (qmail 65649 invoked by uid 89); 23 Feb 2009 01:06:18 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by v6.ibctech.ca with ESMTPA; 23 Feb 2009 01:06:18 -0000 Message-ID: <49A1F608.9040009@ibctech.ca> Date: Sun, 22 Feb 2009 20:04:08 -0500 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Andrew Gould References: <428745.19949.qm@web32102.mail.mud.yahoo.com> In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: FreeBSD Users Questions Subject: Re: off topic: reporting attempts to access computers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 01:04:12 -0000 Andrew Gould wrote: > Yes, it's probably time to move to certificates. Thanks for the suggestion. If you realize this, then you also want to look at devising an allow-allow-deny_by_default approach for other critical protocols that you can't employ certificates for... Instead of blocking huge netblocks with your firewall (possibly causing a denial of service on legitimate hosts), it's easier and more resource friendly to create access rules that deny by default in ANY case. (Those who provide transit or hosting services can obviously ignore this). Steve