From: ibuprofin@painkiller.example.tld.invalid   
      
   On 26 Dec 2012, in the Usenet newsgroup alt.os.linux.mandriva, in article   
   , Wolfgang Schelongowski wrote:   
      
   >Moe Trin  writes:   
      
   >>Ours are pretty simple:   
      
   >>   accept anywhere state RELATED,ESTABLISHED   
   >>   accept $LAN_RANGE state NEW tcp dpt:ssh   
   >>   accept all 127.0.0.0/8   
   >>   reject all anywhere reject-with icmp-host-prohibited   
      
   >No holes for $LAN_RANGE domain, $DHCP, $NTP, ...?   
      
   This is a laptop/workstation, not one of my servers.  Therefore, it's   
   not running a DNS, DHCP or NTP (or any other kind of) _server_ daemon   
   except SSH and X.  I don't want anyone else accessing my X server, so   
   there's no 'accept' rule for it (other than the general rule for the   
   loopback range).   If the system is not running a server on port $FOO,   
   why should it be concerned about accepting an _inbound_ packet to a   
   server that doesn't exist?   The network stack would handle that case,   
   replying with a TCP "RESET" ("nothing here to connect to") packet at   
   the 3-way handshake phase (or an ICMP type 3 port or protocol   
   unreachable for most other stuff) even without the "reject all"   
   firewall rule.  I don't install windoze type mal-ware on the laptop,   
   so I don't restrict outbound packets.   Replies to my OUTBOUND server   
   requests are covered by the "RELATED,ESTABLISHED" rule.   
      
           Old guy   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)