1 |
On Tuesday 27 February 2007, Grant wrote: |
2 |
> > > > Anyway, a closed port remains closed whether a firewall is |
3 |
> > > > running, or not. |
4 |
> > > |
5 |
> > > I thought the firewall specified which ports to open/close. |
6 |
> > |
7 |
> > Not quite, but we might be running into terminology here. |
8 |
> > |
9 |
> > The app that is listening a port opens the port. This has nothing |
10 |
> > to do with the firewall. The firewall is simply an extra level of |
11 |
> > checks applied before the packet is allowed thorugh the firewall to |
12 |
> > be received by the kernel, in the same way that a bouncer allows or |
13 |
> > disallows the public to enter a club. If the bouncer is off sick, |
14 |
> > the public gets to walk through the door up to reception, assuming |
15 |
> > the club is open for business. |
16 |
> > |
17 |
> > What Mick was referring to is that if a service is running, it's |
18 |
> > still going to listen on it's port whether iptables is running or |
19 |
> > not. So, in the absense of iptables (i.e. your bouncer is off |
20 |
> > sick), you hopefully have a decent password strategy in use by |
21 |
> > whatever is actually listening on the box. |
22 |
> |
23 |
> So as far as incoming connections are concerned, if there are no |
24 |
> listening applications, there is no need for a firewall? |
25 |
|
26 |
Technically yes. In the real world, it depends. The theory will work if |
27 |
and only if you can absolutely guarantee that no listening service will |
28 |
ever be running behind that firewall, and that this will always be true |
29 |
from here on out till the end of time regardless of who has access to |
30 |
the machine. |
31 |
|
32 |
That's a tall order, and leaves human nature out of it. You might |
33 |
install a listening app and leave it running in error without realising |
34 |
the impact of not having a firewall. Someone else might do the same. |
35 |
|
36 |
Ubuntu takes the approach you just asked about and it mostly works well, |
37 |
especially for notebooks on a LAN behind a NATing gateway. If you are |
38 |
running a network with valuable private information on it, you might |
39 |
well prefer a belts and braces approach of having a mostly-closed |
40 |
firewall as well. |
41 |
|
42 |
As always, the best solution will vary according to what *you* need |
43 |
|
44 |
alan |
45 |
|
46 |
|
47 |
|
48 |
|
49 |
-- |
50 |
Optimists say the glass is half full, |
51 |
Pessimists say the glass is half empty, |
52 |
Developers say wtf is the glass twice as big as it needs to be? |
53 |
|
54 |
Alan McKinnon |
55 |
alan at linuxholdings dot co dot za |
56 |
+27 82, double three seven, one nine three five |
57 |
-- |
58 |
gentoo-user@g.o mailing list |