On Tue, 29 Aug 2006, Stephen Shirley wrote:
> It helps deal with broken protocols such as ftp and irc-dcc, no?
Actually, it can potentially work /better/ with these protocols.
> It also means you don't have to run a firewall on each individual
> machine to prevent an information leak, as i understand it.
Nope.
But running a firewall on each host is a good idea.
> Steady on there. I would consider that to be an unusual layout,
Hosts with multiple interfaces to multiple networks is not unusual.
There's no point having redundancy in your hosts, your network
infrastructure, etc.. if it then all gates through a single firewall.
People do go deploy such hosts, with interfaces to networks with
different firewalls for redundancy and then wonder why packets often
don't get through.
If firewalls were stateless by default, we'd have a lot fewer
confused people.
> and yes, certainly not one i would attempt to do stateful
> wirewalling on.
Good man. :)
> Just because it doesn't apply in a corner case doesn't make it
> generally a bad idea however.
You've got it the wrong way around.
Tell me something /good/ about stateful TCP filtering - unneeded
complexity is *bad* if it serves little purpose, surely that's
obvious?
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
"Why would a robot need to drink?" -Fry
"I don't need to drink, I can quit anytime I want." -Bender
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
