From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.62)
	(envelope-from <gentoo-user+bounces-60626-garchives=archives.gentoo.org@gentoo.org>)
	id 1HLwOw-0002qh-EB
	for garchives@archives.gentoo.org; Tue, 27 Feb 2007 07:05:30 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1R74DcI003123;
	Tue, 27 Feb 2007 07:04:13 GMT
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185])
	by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1R6xg5k029938
	for <gentoo-user@lists.gentoo.org>; Tue, 27 Feb 2007 06:59:42 GMT
Received: by nf-out-0910.google.com with SMTP id c31so146897nfb
        for <gentoo-user@lists.gentoo.org>; Mon, 26 Feb 2007 22:59:42 -0800 (PST)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id;
        b=pibVbk5P6koMaJLgo7gH3m3fKLC+dJE+SbNgf76xSlZQCgTEW32qsOHzzz4AQWZt0tUYxECM+5b44Q8Oi6sAUQy6Jy2ey8KaA0VCTkcvpI9TGLdk1CHPFrjmkEdKKOKCrLWIO8QWXgu6JGlJNVE8kcURkkDZyeIA7sZbwLJNbQg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id;
        b=IQ4875q90imhTy/jCswD+3Pym+LHRNavXY36rzTcZumCrFQkHKFVXRE2rqL3KpZJYZMmkmpALjLmWjGTbxzUyOODeGU4dYt7bEsidwr0O1HVU2ImZYD2tNhmwNQzjb00wUfcDnfhcyE1NXZgrWgxv+fXYg48zUoUX3vRI9N6dLg=
Received: by 10.49.29.3 with SMTP id g3mr452549nfj.1172559580682;
        Mon, 26 Feb 2007 22:59:40 -0800 (PST)
Received: from lappy.study ( [213.162.120.196])
        by mx.google.com with ESMTP id y23sm827384nfb.2007.02.26.22.59.39;
        Mon, 26 Feb 2007 22:59:40 -0800 (PST)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] What if the firewall doesn't start?
Date: Tue, 27 Feb 2007 06:59:22 +0000
User-Agent: KMail/1.9.5
References: <49bf44f10702251158n2ab9c587y9563d6ad4fa3a4b3@mail.gmail.com> <200702262129.52581.alan@linuxholdings.co.za> <49bf44f10702261921k76a9f2f6pbb36585bcd73f61b@mail.gmail.com>
In-Reply-To: <49bf44f10702261921k76a9f2f6pbb36585bcd73f61b@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart14307088.li9u49q2FK";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200702270659.24634.michaelkintzios@gmail.com>
X-Archives-Salt: b906bab4-fe2e-474a-b7b1-15c7ad88994d
X-Archives-Hash: 2e09df8308ef758e4cd4ef745605590e

--nextPart14307088.li9u49q2FK
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday 27 February 2007 03:21, Grant wrote:
> > > > Anyway, a closed port remains closed whether a firewall is running,
> > > > or not.
> > >
> > > I thought the firewall specified which ports to open/close.
> >
> > Not quite, but we might be running into terminology here.
> >
> > The app that is listening a port opens the port. This has nothing to do
> > with the firewall. The firewall is simply an extra level of checks
> > applied before the packet is allowed thorugh the firewall to be
> > received by the kernel, in the same way that a bouncer allows or
> > disallows the public to enter a club. If the bouncer is off sick, the
> > public gets to walk through the door up to reception, assuming the club
> > is open for business.
> >
> > What Mick was referring to is that if a service is running, it's still
> > going to listen on it's port whether iptables is running or not. So, in
> > the absense of iptables (i.e. your bouncer is off sick), you hopefully
> > have a decent password strategy in use by whatever is actually
> > listening on the box.
>
> So as far as incoming connections are concerned, if there are no
> listening applications, there is no need for a firewall?

As I understand it, no.  However, a firewall is there to offer additional=20
functionality and protection by logging packets, filtering the amount of=20
incoming packets, proactively blocking some of these from coming in, etc.

After all you would be less inclined to allow a machine which has been=20
scanning your server ports for the last 10 minutes to try to authenticate o=
n=20
a legitimate service port, right?

http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml

=2D-=20
Regards,
Mick

--nextPart14307088.li9u49q2FK
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBF49bM5Fp0QerLYPcRAs3ZAKCRfWIz6kz5PJoBbyV73b6JYwsbDACgysvv
PsKkB+Wmu196KsgWqSKMNao=
=qglM
-----END PGP SIGNATURE-----

--nextPart14307088.li9u49q2FK--
-- 
gentoo-user@gentoo.org mailing list