Am Sa, den 31.01.2004 schrieb Luciano Miguel Ferreira Rocha um 17:58: > On Fri, Jan 30, 2004 at 12:13:18PM +0100, Alexander Dalloz wrote: > > > /sbin/modprobe ip_conntrack_ftp &> /dev/null > > > > modprobe has the parameter "-q" to be quiet. > > Thanks, I didn't know. > > > > /sbin/iptables -F > > > /sbin/iptables -X > > > /sbin/iptables -P FORWARD DROP > > > /sbin/iptables -P INPUT DROP > > > > To set policies to DROP and have no final REJECT rule is bad. DROP is no > > good general rule. > > That's a matter of opinion, but for completion I do use rejects, but I tried > to simplify the script: > > /sbin/iptables -A INPUT -p TCP -m limit --limit 20/minute -j REJECT --reject-with tcp-reset > /sbin/iptables -A INPUT -p UDP -m limit --limit 20/minute -j REJECT --reject-with icmp-port-unreachable > > (I don't like the default reject method.) > > Regards, > Luciano Rocha I know that many folks thinks that a DROP rule improves security and is better than a REJECT. But that is at least just "security by obscurity" and would take my attention as a cracker as it seems that someone tries to hide something interesting or even critical. In addition DROP is unsocial as it leads to time lag because connection trials have to wait for timeouts and not just getting a "no, you can't connect". The topic about DROP versus REJECT is often and long discussed and I know of not any argument for DROPping. ;) Regards Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2149.nptl Sirendipity 00:36:38 up 1 day, 23:36, load average: 0.33, 0.23, 0.19 [ ÎÎÏÎÎ Ï'ÎÏÏÎÎ - gnothi seauton ]