Hi, On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote: > But if one can spoof 127.0.0.1, then one can spoof anything else, so creating > any rule with an ip address matching is useless. Correct. IP-based authentication is inherently flawed. If you want something like that, use strong cryptography to verify the sender/receiver (think certificates, SSL, etc.). > If I set up my firewall > to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting > to a port (eg. smtp), then anyone can spoof that too. So what's the point of > creating rules? :) Well, there are still some benefits in using a firewall. For example, if you don't allow access to any port per default, but only open a few ones you really need (in case you're running servers which must be reachable from the net). If you accidentally/unknowingly install/start a daemon which should _not_ be reachable from outside, the firewall will block any traffic to it, and hence any exploit attempts. There are many other valid examples. It's not the concept of a firewall that is flawed, it's relying on IP addresses for authentication which is a bad idea. Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org
Attachment:
signature.asc
Description: Digital signature