Re: Required firewall support
On 17-Mar-05, 01:01 (CST), Joel Aelwyn <fenton@debian.org> wrote:
> * The ability for an interface to receive, by default, only traffic that
> is destined for that interface. (Non-promiscuous mode; promiscuous mode
> availability is a big plus, but not required from the OS point of view)
Linux fails this. Even with forwarding disabled, it will accept packets
for an address on interface A via interface B.
The rest of your points are valid for a *packet filter* firewall that
exists *between* the internet and a LAN (and/or DMZ). For a machine
that is directly connected, you can run only the services that you're
actually supporting, and use tcpwrappers et. al. to control access to
those, if you like. Packet filtering is basically irrelevant. And there
are other kinds of firewalls besides packet filters.
Steve
--
Steve Greenland
The irony is that Bill Gates claims to be making a stable operating
system and Linus Torvalds claims to be trying to take over the
world. -- seen on the net
Reply to: