On Tue, 27 Feb 2007 09:11:33 -0800 Grant <[EMAIL PROTECTED]> wrote: > > > > > > Anyway, a closed port remains closed whether a firewall is > > > > > > running, or not. > > > > > > > > > > I thought the firewall specified which ports to open/close. > > > > > > > > Not quite, but we might be running into terminology here. > > > > > > > > The app that is listening a port opens the port. This has > > > > nothing to do with the firewall. The firewall is simply an > > > > extra level of checks applied before the packet is allowed > > > > thorugh the firewall to be received by the kernel, in the same > > > > way that a bouncer allows or disallows the public to enter a > > > > club. If the bouncer is off sick, the public gets to walk > > > > through the door up to reception, assuming the club is open for > > > > business. > > > > > > > > What Mick was referring to is that if a service is running, it's > > > > still going to listen on it's port whether iptables is running > > > > or not. So, in the absense of iptables (i.e. your bouncer is off > > > > sick), you hopefully have a decent password strategy in use by > > > > whatever is actually listening on the box. > > > > > > So as far as incoming connections are concerned, if there are no > > > listening applications, there is no need for a firewall? > > > > Technically yes. In the real world, it depends. The theory will > > work if and only if you can absolutely guarantee that no listening > > service will ever be running behind that firewall, and that this > > will always be true from here on out till the end of time > > regardless of who has access to the machine. > > > > That's a tall order, and leaves human nature out of it. You might > > install a listening app and leave it running in error without > > realising the impact of not having a firewall. Someone else might > > do the same. > > > > Ubuntu takes the approach you just asked about and it mostly works > > well, especially for notebooks on a LAN behind a NATing gateway. If > > you are running a network with valuable private information on it, > > you might well prefer a belts and braces approach of having a > > mostly-closed firewall as well. > > > > As always, the best solution will vary according to what *you* need > > On more question, is default the right runlevel in which to run > shorewall? It looks like it's one of the last services to start that > way. > > - Grant You could probably run it sooner, but it might try to bring up your network interfaces before starting. But, as long as the interfaces' device nodes exist, whether or not the connection is up shouldn't matter. You could move it to the boot level, probably, if you were worried about security while the computer boots.
-- gentoo-user@gentoo.org mailing list
