From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HM5Sh-0007OT-Vh for garchives@archives.gentoo.org; Tue, 27 Feb 2007 16:46:00 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1RGhRkg003785; Tue, 27 Feb 2007 16:43:27 GMT Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.239]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1RGY8kh023041 for ; Tue, 27 Feb 2007 16:34:09 GMT Received: by nz-out-0506.google.com with SMTP id s1so1510686nze for ; Tue, 27 Feb 2007 08:34:08 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VxSCdGYornrgAJg+T26gHqbyq6O4MYgR47lBNaqDI2UhtWEL7WPhXmLSgxYrQFyq2v9p/dK43vyJ/+0S5KbX493SpHifcfbDOCjZC6x+PddUSlLC+LM7z90REV+l3qao/uhmwBIUfE1oEy4jqyxIhz0qjRJ/DG5FvKx+F3wHA44= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WFJkmf0C+a3EHYgIIhujqc7wifs9ZVkyDoZ6/Lgz3eogXXyJar7lklpSYgmGsDPDKIRYejtUi/EDbBqi42rGleGnaPNuJ3Me0n+ZgZiPCcgvC8RhmJhjyGaTdgG7JeLMN0t+mh1GSSdIWKu+wHrBxhFc/GHiDjxfN61TOB+vG0Q= Received: by 10.114.159.1 with SMTP id h1mr332424wae.1172594044696; Tue, 27 Feb 2007 08:34:04 -0800 (PST) Received: by 10.114.176.15 with HTTP; Tue, 27 Feb 2007 08:34:04 -0800 (PST) Message-ID: <49bf44f10702270834x54dbfee2y19ee1193e5a01a19@mail.gmail.com> Date: Tue, 27 Feb 2007 08:34:04 -0800 From: Grant To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] What if the firewall doesn't start? In-Reply-To: <200702271726.47096.alan@linuxholdings.co.za> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10702251158n2ab9c587y9563d6ad4fa3a4b3@mail.gmail.com> <200702262129.52581.alan@linuxholdings.co.za> <49bf44f10702261921k76a9f2f6pbb36585bcd73f61b@mail.gmail.com> <200702271726.47096.alan@linuxholdings.co.za> X-Archives-Salt: 6aebff31-db98-4cf8-b913-9fd80ff9f762 X-Archives-Hash: 9e318dd6e36ff9fdece21e17aba118f8 > > > > > Anyway, a closed port remains closed whether a firewall is > > > > > running, or not. > > > > > > > > I thought the firewall specified which ports to open/close. > > > > > > Not quite, but we might be running into terminology here. > > > > > > The app that is listening a port opens the port. This has nothing > > > to do with the firewall. The firewall is simply an extra level of > > > checks applied before the packet is allowed thorugh the firewall to > > > be received by the kernel, in the same way that a bouncer allows or > > > disallows the public to enter a club. If the bouncer is off sick, > > > the public gets to walk through the door up to reception, assuming > > > the club is open for business. > > > > > > What Mick was referring to is that if a service is running, it's > > > still going to listen on it's port whether iptables is running or > > > not. So, in the absense of iptables (i.e. your bouncer is off > > > sick), you hopefully have a decent password strategy in use by > > > whatever is actually listening on the box. > > > > So as far as incoming connections are concerned, if there are no > > listening applications, there is no need for a firewall? > > Technically yes. In the real world, it depends. The theory will work if > and only if you can absolutely guarantee that no listening service will > ever be running behind that firewall, and that this will always be true > from here on out till the end of time regardless of who has access to > the machine. > > That's a tall order, and leaves human nature out of it. You might > install a listening app and leave it running in error without realising > the impact of not having a firewall. Someone else might do the same. > > Ubuntu takes the approach you just asked about and it mostly works well, > especially for notebooks on a LAN behind a NATing gateway. If you are > running a network with valuable private information on it, you might > well prefer a belts and braces approach of having a mostly-closed > firewall as well. > > As always, the best solution will vary according to what *you* need Very informative. Thanks guys. - Grant -- gentoo-user@gentoo.org mailing list