Marcus Brinkmann wrote:
On Tue, May 21, 2002 at 10:33:09AM -0400, Nathan Hawkins wrote:Jails are kind of like the translators. They're a kernel-specifc (or whatever the Hurd is supposed to be) add-on. They're useful, but more of a nice-to-have add-on than an essential feature for an operating system. Complete and usable TCP/IP support is not, and I, and many other people, would classify firewalling as a required part of a complete TCP/IP implementation.Richard Stevens, TCP/IP Illustrated, Vol. 1 does mention firewall gateways only three times (and has one book about it in the bibliography for further reading). I don't have the other two, so maybe someone can check if he covers firewalling in those books in more detail. He does not mention firewalling on non-gateway hosts.
He's out of date WRT current practice. And some networks have more than one gateway, in which case it can be desirable to administer on the hosts with the relevent services.
I have not a lot experience with administration of network systems, but what I have seen is that the common way to use firewalls is to buy them as firewalls and use them to secure the LAN.
People also regularly use "firewalling" features to do things that aren't really security related. I see people using IP filtering in combination with routing, NAT, and even QOS.
FWIW, Debian GNU/FreeBSD will have firewalling tools. It looks like there are two different firewall implementations supported by the kernel, actually. There is also IPsec and IPv6 support.FWIW, Debian GNU/Hurd will have ways to secure the network and services, too. It might even have firewall features. But does the first version havefirewall features? Maybe. This depends on a lot of things, and all of them are completely unrelated to how important firewalling really is.
This is a good point. The first release of the Hurd can reasonably be expected to have limitations and missing functionality.
That doesn't mean Debian should release it as a stable architecture at that point. ;-)
---Nathan -- To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org