Firewall
Matthew Miller
mattdm at mattdm.org
Mon Dec 6 19:20:34 UTC 2010
On Mon, Dec 06, 2010 at 08:09:29PM +0100, Miloslav Trmač wrote:
> I can see the following primary reasons to have a firewall:
> * Enforcing a sysadmin-set (system-wide or site-wide) policy.
> "No, you will not run any bittorrent client on the company's
> computer".
>
> * A "speed bump" that requires an independent action to prevent
> unintentionally opening up a service.
>
> "You have started $server, and it accepts connections from the
> whole internet. Here's your chance to think about this again.
> Do you want to open the port?"
The question implies some sort of GUI pop-up. More likely is the incidental
installation of something. Does Gnome still pull in Apache for peer-to-peer
filesharing? Or some other package misconfigured to listen when it
shouldn't. Installing a firewall by default contributes to defense in depth
at relatively little cost.
> * ZOMG WE NEED A FIREWALL
> "I can't use this Linux thing, my bank requires me to run an
> antivirus and a firewall."
And don't underestimate that need -- more places than banks have similar
requirements.
> Are there other reasons?
Programs like fail2ban use the packet filter to block aggressive brute-force
attempts. But I don't think any of them require an existing configuration of
some sort -- they just do their own thing on top of whatever is there.
--
Matthew Miller <mattdm at mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
More information about the devel
mailing list