On Tue, Mar 29, 2005 at 03:43:11AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > And, yes, if you need outgoing FTP/WWW access from that box then you should > have a filter for those servers you actually need (like > security.debian.org). Sorry, allowing remote access to an SSH server that > is not setup in a properly isolated DMZ with incoming and outgoing filters > is not a good idea. It should be noted that it is entirely possible, even on today's internet, to run a large network completely exposed to the internet. It always makes me sad when I hear people talking as though you simply *must* have a firewall, or else you're endangering yourself, your users, and the internet community as a whole. You can run with "default allow" policy, and do it safely. Firewalls cause two major problems. First of all, they lead to a false sense of security. They create a "soft underbelly" with a hard shell. If you can get through the shell, who knows what kind of weak trust relationships, unpatched security vulnerabilities, and insecure protocols you're going to find. Second, it is a royal PITA for users who find that their applications don't work due to strict firewall policies. These users, or the developers of their software, invariably will find some way to get their traffic through. Witness all the stuff that gets tunneled over HTTP or ssh these days. Traffic will flow around your firewall, one way or another. Secure hosts, services, and authentication mechanisms, as well as sound policies, can make an open network at least as secure as one that is tightly firewalled. noah
Attachment:
pgpsMBtNxnO5F.pgp
Description: PGP signature