|
||||||||
Here's a quote from the de.comp.security.firewall FAQ: > Administrators who bother about script kiddies sometimes believe that they can stop them with DENY. This is wrong. It's possible to start several thousand scans at once and therefore to wait for all timeouts at once. A scanner wont slow down because of this. On the other side you slow down all legitimate users and services. Specifically the IDENT requests. > > The ident services gives the administrator of a neat system a help for identifying misbehaving users. DENY has the consequence that this help isn't recorded at other servers. Do you want to hide spammers and script kiddies please use DENY. Although it's hard to tell from the bad english, he's in favor of Reject. I think m0n0wall defaults to Deny, so I assume that this advice will not meet with universal acceptance here. Comments? NHA -- Norman H. Azadian Taegerishalde 13 CH-3110 Muensingen Switzerland norman at azadian dot ch tel: +41 31 721 7855 fax: +41 31 55 898 55 |