From owner-freebsd-stable Tue Jun 20 11:46:21 2000 Delivered-To: freebsd-stable@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 0777B37BF5E; Tue, 20 Jun 2000 11:46:18 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id LAA92459; Tue, 20 Jun 2000 11:46:17 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 20 Jun 2000 11:46:17 -0700 (PDT) From: Kris Kennaway To: Roland Jesse Cc: freebsd-stable@FreeBSD.ORG Subject: Re: hosts.allow: deny set but ping requests come through In-Reply-To: <0v1z1tx45i.fsf@cs.uni-magdeburg.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 19 Jun 2000, Roland Jesse wrote: > Good point and thanks for the pointer. Now it is way more restrictive > than I wanted it to be but at least the ping requests from the > specific machine in question don't get answered anymore. Restrictive firewalls (e.g. those which deny everything and then allow through specific exceptions) are usually better than open ones which only deny a few things, because chances are you've forgotten something, or you'll forget to update it when you install a new service. So this is a good thing - just remember to check the ipfw logs when you have a "weird" problem with network connectivity (assuming you wrote your 'deny' rules as 'deny log'). Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message