iptables support?

[Res]

On Sat, 10 Dec 2005, Tim wrote:

> Though, I would have thought that on a server you really wouldn't want a
> default input accept policy.  You'd have to be *very* *sure* that
> everything on that server was internally ignoring connections that
> shouldn't be allowed to the outside world.  At least a default deny/drop
> incoming policy gives you some measure of protection against surprises.

To have default policy drop, on a high loaded server, stresses connection 
tracking, I'm talking about 4K+ users, we'd had boxes start to bail 
around there, no mater how much fine tuning we did, without fine tuning 
they crack up at around 2.5K

Also even with only a mere single user, it can be a problem if you run an 
ftp server due to the way ftp works with its data port etc, most of our 
servers have 22 filtered on the router, then iptables handles the rest, 
like explicit allow for 80 if its a web serer, 25/110 if its mail server, 
then block everything else 1-1023, 3306 (sql) and 2 other ports used with
apcupsd.


-- 
Cheers
Res