That's pretty much what I have.  Thanks for making me feel a bit more
secure.

Munir Nassar wrote:
> 
> On Sat, 1 Jun 2002, Wayne Johnson wrote:
> 
> > Hmmm.  I just set up a system, tell it to reject packets for all ports
> > I'm not using especially telnet, ftp, and the other usual suspects.
> > Guess I've never heard of gShield.  Am I being naive?  Should I be
> > looking into a bit more protection.
> 
> The best protection money can buy is to disconnect the network cable
> 
> short of that it is just playing a game of how much you can/will
> compromise...
> 
> for me i start with dropping all packets, it makes the firewall more
> "stealthy" and it causes an nmap to scan for a long time because it has
> to wait for the connections to timeout, but violates RFCs...
> 
> thyen i open the ports for the services that i need, SSH, IMAPS, HTTP,
> HTTPS, DNS and so forth. It is highly recommended that you sections off
> your network into seperate parts  with strict ACLs but that is just too
> much of a headache for my small network
> 
> next install portsentry and have it drop all connections from the bastard
> who tried to scan you...
> 
> that is just for the network, internally you should setup some shit like
> tripwire and make sure you update your packages regularly,
> 
>  -munir
> 
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list

-- 
Wayne Johnson,             | There are two kinds of people: Those 
3943 Penn Ave. N.          | who say to God, "Thy will be done," 
Minneapolis, MN 55412-1908 | and those to whom God says, "All right, 
(612) 522-7003             | then,  have it your way." --C.S. Lewis