On Fri, Oct 15, 2004 at 09:52:12 -0400, Leonard Isham <leonard.isham@xxxxxxxxx> wrote: > On Fri, 15 Oct 2004 14:43:40 +0100 (IST), VJ <vj@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Harry, > > Thanks a lot for your reply. I am using DROP policy by default, and > > just open the required holes in firewall (HTTP and SMTP only). This PC > > is not used for browsing at all. It is just a firewall + samba server + > > http server + smtp server + ftp server + MythTV recording + > > playing(both backend + frontend) + more little jobs. > > I do use DROP but I do not log REJECT. Should I do that? > > Keep using drop. reject provides additional information to an attacker. You probably should use reject for ident requests as otherwise transferring email to some sites may be delayed while an ident request times out. The extra information afforded by reject isn't that big of a deal.
