Date: Tue, 28 Mar 2000 15:18:49 -0800 From: "Brian O'Shea" <boshea@ricochet.net> To: Scott Hess <scott@avantgo.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000328151849.C330@beastie.localdomain> In-Reply-To: <20000328135401.A17746@river.avantgo.com>; from Scott Hess on Tue, Mar 28, 2000 at 01:54:01PM -0800 References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com> <20000328130850.Z330@beastie.localdomain> <20000328135401.A17746@river.avantgo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 28, 2000 at 01:54:01PM -0800, Scott Hess wrote: > > You could tell the packet filter to only allow packets to the > ssh port. Sounds redundant, but it certainly does prevent you > from accidentally opening up a hole at some point. True. > > You might want to log packets, on the off chance that someone is > doing something interesting. Hmm, this could be interesting. > > You might want to adjust whether non-ssh packets are rejected, or > simply dropped on the floor. Rejecting the packet gives an immediate > "Connection denied" response to probes, whereas dropping the packet > just leaves the probe high&dry. That's a good idea, I'll have to check it out. I assume you mean the "deny" and "reject" (now "unreach") actions mentioned in the ipfw(8) man page. Thanks a lot! -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000328151849.C330>