Quote Originally Posted by anomie View Post
Well, tcp_wrappers does offer a similar functionality for the result you want, but it denies subnets on a different level (libwrap.so support gets compiled into the daemon you're running -- in this case sshd). A port scan will still show that tcp port 22 is open. The packet filtering provided by iptables/netfilter can prevent scanners from seeing port 22 as anything but filtered.

Does it matter? Probably not. If you were a high-profile target you might be interested in throttling connections and traffic shaping with iptables. (Then again, if you were a high-profile target you probably wouldn't be relying on a host-level firewall.)

I'm not arguing that you should make any changes. I have a server with a similar setup to what you describe: sshd running with pubkey authentication only (and some other tweaks to harden the config) and no packet filtering on that port.
Thanks a lot for your info. So I do not need to be too worried about my setup and I will check the firewall configurations to improve it even further in the future.

I had just the experience that a high performance computer (was not intended to be a server) was sending spams through sendmail (at least not to the US but Tawain ).
This computer was protected by a firewall, which, however, was managed by a different person. I guess a firewall that is not well configured does not give you any protection and if you do not have the permissions to configure it than you should at least improve the security by using the linux/unix tools.