* dman (dman@dman.ddts.net) [020419 09:10]: > On Fri, Apr 19, 2002 at 11:22:56AM -0400, Shawn McMahon wrote: > | begin Noah Meyerhans quotation: > | > HA! That's the most rediculous thing I've ever heard on this list. > | > | "ridiculous". "pedantic". > | > | > The > | > only thing a firewall is good for is to provide you with a false sense > | > of security. > | > | A firewall is a useful tool for securing a network. If you don't know > | enough about security to know that, you shouldn't be pontificating on > | the subject in a public list. Like any other tool, it is neither > | necessary nor sufficient in and of itself. Well said. > | > | > If you want to be able to run services like web or mail > | > servers, you by definition must start punching holes in your firewall. > | > | And, of course, opening a single hole in a firewall makes it completely > | useless. NOT. Go away, troll. > > Noah isn't a troll. He absolutely right here -- if you run a mail > server, no firewall will prevent you from becoming an open relay. > The only firewall that will prevent your mail server from being an > open relay is one which disconnects the mail server from the rest of > the world (and prevents you from getting any mail at all). If you are > to run a mail server you have to open TCP port 25. Once you've done > that, your firewall doesn't help you on port 25 and you must then look > to other means for securing that part of your system/network. > > Noah (and I) didn't say a firewall was useless, just that discussing > firewalls when the problem is a (potential) mail relay is wholly > pointless. Well, there may be other issues on the table here. Will's original question was "can I tell if I've been hacked?" His exim setup could be sound, but it's definitely feasible that a rootkit could install a mail relay listening on another port and sending out a ton of spam unbeknownst to ps and top. Are your hub lights blinking, Will? If that rootkit was installed by somebody exploiting a samba which should have been blocked from The Outside, this could potentially have been prevented if a packet filter was installed to allow incoming connections only to tcp/25. Also, I'm pretty sure Noah did say the firewall was useless - that the only thing it's good for is a false sense of security. 'Troll' may be a bit strong, but then, so was his remark about the usefulness of firewalls! -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml
Attachment:
pgp4j2qJRT_Lk.pgp
Description: PGP signature