From: Hudson Delbert J Contr 61 CS/SCBN <Delbert.Hudson@LOSANGELES.AF.MIL>
To: 'Nick Drage' <nickd@metastasis.org.uk>, netfilter@lists.netfilter.org
Subject: RE: A simple question
Date: Thu, 19 Aug 2004 10:58:06 -0700 [thread overview]
Message-ID: <7EACCDBB65D37443912D80713CC1245D02382AB4@fsnsab20.losangeles.af.mil> (raw)
I think there has been a bit of loss of direction from the initial thread.
programatically speaking NO services which allow traffic of any kind s/be
running
'out of the box'...
the fewer and smaller amount of code the more secure.
i.e.,,,if it ain't running you cant attack it....common sense....
re: bellovin, cheswick, farmer, wiezste, et al...
console should be how one initally accesses the box unless
we are speaking of a centrally managed security enclave scenario.
why take needless chances...
~piranha
> Just my two cents on this:
My two pennies :)
> If your firewall is designed correctly, there shouldn't be any network
> available services running baring SSH.
If you're using IPTables as a seperate firewall then wouldn't you just
want SSHD listening on the internal interface?
> Because of this, if a hacker gets into your firewall I assume that
> 99.9999% of the time, they'll have root access. Any hacker that could
> hack into your Linux box will be able to disable any iptables rules in
> a second. Hence, blocking the OUTPUT chain on a firewall does NOT
> secure you against hackers.
You're presuming that IPTables isn't protecting a single host. If
you're using it on a desktop or a server filtering on the OUTPUT chain
gives you a huge gain in security.
--
"I think a church with a lightning rod shows a decided lack of confidence"
next reply other threads:[~2004-08-19 17:58 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-19 17:58 Hudson Delbert J Contr 61 CS/SCBN [this message]
-- strict thread matches above, loose matches on Subject: below --
2011-01-17 16:24 A simple question Ajit K Jena
2011-01-17 16:32 ` Michiel Muhlenbaumer
2005-08-10 0:11 A Simple Question Robb Bossley
2005-08-10 19:58 ` /dev/rob0
2005-08-11 5:54 ` Jan Engelhardt
2005-08-12 5:27 ` Grant Taylor
2004-08-19 17:47 A simple question Daniel Chemko
2004-08-19 17:14 Daniel Chemko
2004-08-19 17:31 ` Nick Drage
2004-08-19 15:15 Hudson Delbert J Contr 61 CS/SCBN
2004-08-19 11:04 Jason Opperisano
2004-08-19 2:36 Sudheer Divakaran
2004-08-19 4:18 ` Mark E. Donaldson
2004-08-19 8:39 ` Torsten Luettgert
2004-08-19 4:52 ` Dhananjoy Chowdhury
2004-08-19 15:46 ` Erick Sanz
2004-04-06 2:25 Gianni Pucciani
2004-04-05 22:40 ` Antony Stone
2004-04-06 13:26 ` Gianni Pucciani
2003-07-12 15:20 Performance difference between two raid0 arrays on same drives? Gordon Henderson
2003-07-16 18:11 ` A simple question Donghui Wen
2003-06-27 8:56 A Simple question Jad Saklawi
2003-06-27 9:32 ` Glynn Clements
2003-06-27 17:57 ` chuckw
2002-08-09 1:26 A simple question ed Wang
2002-08-09 16:57 ` David Love
2001-05-07 15:29 Hai Xu
2001-05-07 15:34 ` Robert M. Love
2001-05-07 15:43 ` Feng Xian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7EACCDBB65D37443912D80713CC1245D02382AB4@fsnsab20.losangeles.af.mil \
--to=delbert.hudson@losangeles.af.mil \
--cc=netfilter@lists.netfilter.org \
--cc=nickd@metastasis.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.