[ILUG] Firewalls... linux -v- BSD
paul at clubi.ie
paul at clubi.ie
Wed Aug 30 01:15:58 IST 2006
On Tue, 29 Aug 2006, Stephen Shirley wrote:
> It helps deal with broken protocols such as ftp and irc-dcc, no?
Actually, it can potentially work /better/ with these protocols.
> It also means you don't have to run a firewall on each individual
> machine to prevent an information leak, as i understand it.
Nope.
But running a firewall on each host is a good idea.
> Steady on there. I would consider that to be an unusual layout,
Hosts with multiple interfaces to multiple networks is not unusual.
There's no point having redundancy in your hosts, your network
infrastructure, etc.. if it then all gates through a single firewall.
People do go deploy such hosts, with interfaces to networks with
different firewalls for redundancy and then wonder why packets often
don't get through.
If firewalls were stateless by default, we'd have a lot fewer
confused people.
> and yes, certainly not one i would attempt to do stateful
> wirewalling on.
Good man. :)
> Just because it doesn't apply in a corner case doesn't make it
> generally a bad idea however.
You've got it the wrong way around.
Tell me something /good/ about stateful TCP filtering - unneeded
complexity is *bad* if it serves little purpose, surely that's
obvious?
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
"Why would a robot need to drink?" -Fry
"I don't need to drink, I can quit anytime I want." -Bender
More information about the ILUG
mailing list