\_ thinking that this discussion might be of interest to others and not wanting
\_ to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
\_ linux systems on the internet, I am lobbing up softballs for weak hitters to
\_ hit out of the park.
\_
\_ 1 - if I create a chain ruleset
\_
\_ default policy deny
\_ accept TCP/UDP port 25, 110, 80
\_ reject TCP/UDP ports 1:1024
\_
\_ does this adequately protect all but mail & www from things
\_ like BIND & FTP exploitation attacks?
I'm pretty sure you're gonna want 53 in there... otherwise it'll be
harder to resolve hostnames.
If you're using mysql, add tcp 3306 -y -j REJECT to keep it happy.
If you're using X, add 6000:6009 -y -j REJECT and 7100 -y -j REJECT to
keep the Xsessions highly protected as well as the font server.
I like reject better because I think that makes attempts "go away"
faster. But I'd be more than willing to change my opinion if someone
*knows*. :-)
David
(text/plain)