In message <4244916E.8010200@web.de>, Felix Deichmann writes:
>Amadeus Stevenson wrote:
>> -ipfilter block all default, allow in www with keep state
>
>If you expect many connections and "keep state", be sure that the state 
>table is big enough then. See IPSTATE_SIZE and IPSTATE_MAX in ip_state.h.

For this sort of application, you don't need 'keep state'.  Virtually 
nothing should be running on the machine; you can block those ports 
explicitly (if there is indeed anything to block).  Outbound calls (if 
any) should just work.  Don't worry about scans; armor the machine and 
let the probes bounce off.

The real risk here isn't that they know you aren't running something; 
the risk is from the things you are running and can't shut down, like 
apache.
>
>> Is there anything else you could do? Password rotation? What would you
>> do if you had to run, say, a security-critical (eg. a bank or paypal)
>> system?
>
>If you are really paranoid:
># sysctl -w net.inet.ip.random_id=1
>
Against what threat?

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb