Re: [Sheflug] Firewall stuff

["Alex Hudson" <nospam [at] alexhudson.com>]

 > It won't stop httpd requests [unless running httpd from inetd]
> > It won't stop smbd/nmbd requests [unless running smbd from inetd] It
> > won't stop DNS requests It won't stop anyone connecting to your X
> > server It won't stop anything else running as a standalone daemon
> > *unless* that daemon has TCP wrappers support built in.
>
> Why the clucking bell would people be running X, httpd or smbd on
> a firewall ?

I've run httpd on many a firewall. Run it in proxy mode, hey presto a layer
7 firewall. smbd would also have similar uses in a firewall. The be-all and
end-all of firewalls is not 'ipchains'. A packet-filtering firewall is neigh
on useless, being either too vociferous (annoying people) or too lax.
Remember, also, firewalls aren't just about keeping hackers out.

> Why oh why do people do this and take up resources on a
> machine that simply forwards/filters packets...

Very basic definition of "firewall" you have there ;) People make money from
firewalls by doing more than packet filtering, that's why they cost money
and why Linux isn't suitable as a replacement, yet.

> > Also, why do people still use hosts.deny? It's much easier to do away
> > with that and stick with hosts.allow and the TCP wrapper extentions
> > that give the ALLOW and DENY keyword. "man  5 hosts_options" for more
> > on them - very flexible... :)

BTW, I definitely agree with all the other posters on these particular
points - those configs did very little to enhance security..

Cheers,

Alex.

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.