I'm assuming the Linux box we're discussing is a firewalling router. If
it's an internal machine, the packet filter is too little too late.
I see the packet filter (which you've been calling a "firewall", which it is
only minimally) as being best placed at the border between your internal
network and the outside world. Once they get inside that, you can
packet-filter individual machines but you'll have to do a lot more work to
secure those hosts from other internal hosts which might be vulnerable to
outside attack (WinXX hosts, network printers, etc.). It'll take more than
just a packet filter to help you there: it's nearly worthless.
(That said, I'm using it as such on some ECE cluster machines --- but only
because we can't use a firewalling router, we need to allow pretty much
unrestricted outside access to large parts of the network. But I can do
everything in my power to keep the script-kiddies out of the cluster.)
The packet filter on the internal host is a last-ditch blockade and possibly
a backup for the *real* forewall. It's not something I would want to count
on to secure my entire network.
Running without a firewall is generally a bad idea... but may be inescapable
for various reasons (see parenthetical above). If so, just about anything
goes --- but realistically, the battle has pretty much been lost already
unless you packet-filter to prevent *all* incoming connections (like I run
the machine I dial up from --- backed up by running no servers :-)
-- brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net system administrator [WAY too many hats] allbery@ece.cmu.edu electrical and computer engineering carnegie mellon university (bsa@kf8nh is still valid.)
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html