> > > > Anyway, a closed port remains closed whether a firewall is
> > > > running, or not.
> > >
> > > I thought the firewall specified which ports to open/close.
> >
> > Not quite, but we might be running into terminology here.
> >
> > The app that is listening a port opens the port. This has nothing
> > to do with the firewall. The firewall is simply an extra level of
> > checks applied before the packet is allowed thorugh the firewall to
> > be received by the kernel, in the same way that a bouncer allows or
> > disallows the public to enter a club. If the bouncer is off sick,
> > the public gets to walk through the door up to reception, assuming
> > the club is open for business.
> >
> > What Mick was referring to is that if a service is running, it's
> > still going to listen on it's port whether iptables is running or
> > not. So, in the absense of iptables (i.e. your bouncer is off
> > sick), you hopefully have a decent password strategy in use by
> > whatever is actually listening on the box.
>
> So as far as incoming connections are concerned, if there are no
> listening applications, there is no need for a firewall?
Technically yes. In the real world, it depends. The theory will work if
and only if you can absolutely guarantee that no listening service will
ever be running behind that firewall, and that this will always be true
from here on out till the end of time regardless of who has access to
the machine.
That's a tall order, and leaves human nature out of it. You might
install a listening app and leave it running in error without realising
the impact of not having a firewall. Someone else might do the same.
Ubuntu takes the approach you just asked about and it mostly works well,
especially for notebooks on a LAN behind a NATing gateway. If you are
running a network with valuable private information on it, you might
well prefer a belts and braces approach of having a mostly-closed
firewall as well.
As always, the best solution will vary according to what *you* need
On more question, is default the right runlevel in which to run
shorewall? It looks like it's one of the last services to start that
way.
- Grant
--
gentoo-user@gentoo.org mailing list
