Gentoo Archives: gentoo-user

From: Alan McKinnon <alan@××××××××××××××××.za>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] What if the firewall doesn't start?
Date: Tue, 27 Feb 2007 15:39:58
Message-Id: 200702271726.47096.alan@linuxholdings.co.za
In Reply to: Re: [gentoo-user] What if the firewall doesn't start? by Grant
1 On Tuesday 27 February 2007, Grant wrote:
2 > > > > Anyway, a closed port remains closed whether a firewall is
3 > > > > running, or not.
4 > > >
5 > > > I thought the firewall specified which ports to open/close.
6 > >
7 > > Not quite, but we might be running into terminology here.
8 > >
9 > > The app that is listening a port opens the port. This has nothing
10 > > to do with the firewall. The firewall is simply an extra level of
11 > > checks applied before the packet is allowed thorugh the firewall to
12 > > be received by the kernel, in the same way that a bouncer allows or
13 > > disallows the public to enter a club. If the bouncer is off sick,
14 > > the public gets to walk through the door up to reception, assuming
15 > > the club is open for business.
16 > >
17 > > What Mick was referring to is that if a service is running, it's
18 > > still going to listen on it's port whether iptables is running or
19 > > not. So, in the absense of iptables (i.e. your bouncer is off
20 > > sick), you hopefully have a decent password strategy in use by
21 > > whatever is actually listening on the box.
22 >
23 > So as far as incoming connections are concerned, if there are no
24 > listening applications, there is no need for a firewall?
25
26 Technically yes. In the real world, it depends. The theory will work if
27 and only if you can absolutely guarantee that no listening service will
28 ever be running behind that firewall, and that this will always be true
29 from here on out till the end of time regardless of who has access to
30 the machine.
31
32 That's a tall order, and leaves human nature out of it. You might
33 install a listening app and leave it running in error without realising
34 the impact of not having a firewall. Someone else might do the same.
35
36 Ubuntu takes the approach you just asked about and it mostly works well,
37 especially for notebooks on a LAN behind a NATing gateway. If you are
38 running a network with valuable private information on it, you might
39 well prefer a belts and braces approach of having a mostly-closed
40 firewall as well.
41
42 As always, the best solution will vary according to what *you* need
43
44 alan
45
46
47
48
49 --
50 Optimists say the glass is half full,
51 Pessimists say the glass is half empty,
52 Developers say wtf is the glass twice as big as it needs to be?
53
54 Alan McKinnon
55 alan at linuxholdings dot co dot za
56 +27 82, double three seven, one nine three five
57 --
58 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] What if the firewall doesn't start? Grant <emailgrant@×××××.com>
Re: [gentoo-user] What if the firewall doesn't start? Grant <emailgrant@×××××.com>