Mike wrote: > Of course, the iptables limiting approach is reasonable too, but I > just wanted to know that I'm filtering someone who's actually > failing login. This might be good information, however I believe that is exposing yourself to the very low probability that someone might actually brute-force guess a password on your system or expose a new vulnerability in the daemon answering to that port. I would say "defense in depth" would be the best answer to get filtering at the time of TCP negotiation as well as answering to log events. > But I suspect that getting IPSec working between my roaming laptop > and my home network is higher up on my To-Do,-Someday,-Hopefully > list.. I was looking at OpenVPN as a solution. I'm using OpenWRT on my Linksys, and there's already a package for it. In fact, I plan on using the same setup at work to get us on to the private LAN in the server room. There are nice OpenVPN clients for most OS'es. Anyway, back to homework. -- Chad Walstrom <chewie at wookimus.net> http://www.wookimus.net/ assert(expired(knowledge)); /* core dump */