I've seen that I have the following ports opened: 23, 25, 80, 113, 119, 515 and I would like to close some to increase system security. Which ports can I close without compromising system functionalities? Reading ipfwadm man page I found a line that should work but I' m not sure: please tell me if it' s correct. /sbin/ipfwadm -I -a deny -b -P all (or only "tcp"?) -S 0.0.0.0/0 -D$LOCALHOST 23 25 80 113 119 515 This should hermetically seal all those ports (?) but what would it happen if I try to connect to my own web server (I use it to test some cgi scripts)? Connection should be deneided, right? And if I try to send a mail from my mail reader to my local Sendmail? And if I try to send waiting mail queue (sendmail -q &)? And if I try to print to my local printer (on LPT1)? So, how could I tell my firewall to allow these connections only if they are coming from my own system? At the moment, at system startup the following lines are executed: /sbin/ipfwadm -A -a -P all -S $IPADDR -D 0/0 /sbin/ipfwadm -A -a -P all -S 0/0 -D $IPADDR that is all connections are enabled from all hosts and all protocols can be used, right? What would it happen if I reject all incoming ICMPs from all hosts? I wouldn' t be no longer flooded? /sbin/ipfwadm -I -a deny (or reject?) -P icmp -S 0.0.0.0/0 -D$LOCALHOST Is this line correct? One more question: I' ve seen, at Suse' s ftp, a kernel "patched against syndrop" and also a file called "2.0.33-fragment.diff" that should patch against nestea attacks. To patch my system (kernel 2.0.33), do I have to download the new patched kernel and apply "2.0.33-fragment.diff" or I can apply "2.0.33-fragment.diff" directly to my kernel "linux-2.0.33.pre.SuSE.3" and get patched also against syndrop? Are Nestea and Syndrop the same thing? Last question: is it true that, to compile kernel successfully, I must log in as root and not log in as normal user than "su" in xterm window? Thanks for your help. Bye. P.S.: If I would like to patch "manually" my ip_fragment.c, what should I change? I should look in the original file for line if (fp->len < 0 || count+fp->len > skb->len) and replace it with line if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len) than configure and compile the kernel? P.S.2: What would it happen if during kernel configuration, I specify a wrong address for a card... say sound card or network card? Will system lock up at startup or it would simply ignore the device? -- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e