On Sat, 10 Dec 2005, Tim wrote:
Though, I would have thought that on a server you really wouldn't want a default input accept policy. You'd have to be *very* *sure* that everything on that server was internally ignoring connections that shouldn't be allowed to the outside world. At least a default deny/drop incoming policy gives you some measure of protection against surprises.
To have default policy drop, on a high loaded server, stresses connection tracking, I'm talking about 4K+ users, we'd had boxes start to bail around there, no mater how much fine tuning we did, without fine tuning they crack up at around 2.5K
Also even with only a mere single user, it can be a problem if you run an ftp server due to the way ftp works with its data port etc, most of our servers have 22 filtered on the router, then iptables handles the rest, like explicit allow for 80 if its a web serer, 25/110 if its mail server, then block everything else 1-1023, 3306 (sql) and 2 other ports used with
apcupsd. -- Cheers Res
