[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Required firewall support

On 17-Mar-05, 01:01 (CST), Joel Aelwyn <fenton@debian.org> wrote: 
> * The ability for an interface to receive, by default, only traffic that
>   is destined for that interface. (Non-promiscuous mode; promiscuous mode
>   availability is a big plus, but not required from the OS point of view)

Linux fails this. Even with forwarding disabled, it will accept packets
for an address on interface A via interface B.

The rest of your points are valid for a *packet filter* firewall that
exists *between* the internet and a LAN (and/or DMZ). For a machine
that is directly connected, you can run only the services that you're
actually supporting, and use tcpwrappers et. al. to control access to
those, if you like. Packet filtering is basically irrelevant. And there
are other kinds of firewalls besides packet filters.


Steve Greenland
    The irony is that Bill Gates claims to be making a stable operating
    system and Linus Torvalds claims to be trying to take over the
    world.       -- seen on the net

Reply to: