monline

"Most firewalls come pre-configured to quietly drop traffic rather than reject it. But what’s the difference between the two and is it truly better to drop instead of reject? If you have never given this question much thought, the answer might surprise you."
An interesting POV. I've been dropping packets all my life (just like 99% of firewall admins), but Chris's explanation makes sense. Some of his statements are trivially true, while others would need some investigation to prove or disprove.

Up til now I believed that all Oracle database connections are firewall-crippled by the well known SQLNET setup: client connects to server's 1521 TCP port (the TNS Listener), the server starts a DB process to handle the connection and tells the client to disconnect from TNS Listener and connect to a newly opened, random port. Ie. you've to open all ports on the server for traffic coming from the client. However today I've monitored with Wireshark a connection being estabilished through an SSH tunnel from an Oracle client (running PL/SQL Developer) to a 9iR2 database server and only a single connection was used the whole time!

Here's the problem: you're allowing access to some ports of your server based on source IPs. This is common practise, even if it's not 100% secure (since source IPs can be spoofed in certain situations). However what if you've no fixed source IP address(es) (which is common practise too) that you can feed into iptables rules? You can register a domain name at a dynamic DNS provider (eg. dyndns.org) and have your client (a DSL router or a client app on your PC) automatically update the IP of that domain name, whenever your client's internet connection get's up. But still, iptables does not allow use of domain names in firewall rules (and it's good so ). Here's where my script comes into play. It allows you to specify a list of domain names and destinations (host+port) for which the script will automatically generate permitting iptables rules.

NoobProof is a complement to WaterRoof (a professional IPFW frontend), but aimed at "noobs".
I decided to link to it, because I love its icon.

Now this is something. A linux based security suite integrated into an USB stick! It works by installing a low-level driver into the PC's OS (of course this is a Windows only stuff ) and redirecting all network traffic through this driver, which filters the data through the appliance's security mechanisms. They say that this unit provides an all-in-one solution: firewall, spam-filter, anti-virus, bla-bla-bla ... Actually the only problem with this is that the whole stuff is only as secure as the Windows (driver) architecture allows. And I don't trust that too much. :-> I'm not naive: most probably Mac OS X is not much safer from a technical POV, but it's got a lot smaller user base and thus is a less attacked platform. And on the other hand, it's working a lot better and that's a significant aspect from a user's POV.