I recently bought a D-Link router and have
| DSLModem | --> | router | ---> rh9
On rh9 I boot with a modified version of lokkit where only ESTABLISHED,RELATED connections are allowed (exceptions - see note * ). Default policy for INPUT and FORWARD is DROP.
Do I need to embellish this firewall with, say, fragment blocking -
iptables -I INPUT 2 -i eth0 -f -j DROP
and checking for a "Sync bit " flood of packets-
iptables -N syn-flood
iptables -I INPUT 3 -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
Pre-router I thought these things necessary as I was coming straight into eth0 from the DSL modem.
At the present time I don't do anything more than surf and get e-mail on this machine.
On the XP box I enabled the "stateful firewall" they have built in although I don't know exactly how it works (and it doesn't appear to allow much customization).
D-Link Dl-704P / Compaq w/AMD K6-2 533Mhz
kernel 2.4.20-20.9 (rh modified)
* - NOTE allow router port 67 -> 68 for dhcp, plus your usual loopback stuff. also allow any udp packets from port 53 on my provider's nameservers.