On 4/8/2010 6:59 AM, Adam Morris wrote: > 1) Usually, its wiser and more secure to silently drop packets to avoid > opening yourself to certain reflective attacks. > Could you elaborate? It's not a big deal if I have to drop instead of reject packets, but I'd like to know more. > 2) As long as you don't have software running on one of those ports that > could be exploited. I would recommend running a nmap scan on your > localhost to see if there are any programs you may not realize using > ports above 10000. nmap by default doesn't look at the full port range, > so you'll need to specify "-p1-65535" as one of the arguments. > nmap returned some interesting results. I found some ports that should be closed that were filtered and nmap was able to determine their services. There were some other ports open, but nmap couldn't determine the service, so my guess is that these ports were opened by transmission-daemon to connect to other peers. > 3) That's a little difficult. Do they have dynamic DNS set up for > themselves? That's the only way I can think you could set that up. It's done by their ISPs. If they get disconnected from their ISP (e.g. modem reset, service outage), they get a new IP address when they reconnect. I'm mostly worried about myself. Such a situation is rare, but if I get assigned a new IP address, I'm locked out and there's no one to let me back in. I could write a script that would replace Shorewall's rules file with a similar one that would open up ssh to the public so I could log in, but I'd have open ssh to one of my users, all of whom (AFAIK) are clueless when it comes to Linux/Unix and the sole reason they would have shell access would be to execute the script.