On Fri May 16 2008 19:39:27 lostson wrote: > On Fri, 2008-05-16 at 19:09 -0700, Lee Glidewell wrote: > > On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote: > > "So... what does a 'personal firewall' actually do? Well, effectively it > > listens on all the ports on your system. This provides no real additional > > security over turning off the services that you don't use." > > > > The nature and purpose of a "firewall" seems to be greatly misunderstood. > > Personally, I think security vendor hype is as much to blame as naivete. > > So basically a firewall is useless ?
A firewall does not listen on any ports. (There may be windows products which are sold as firewalls and which listen on all ports but they are not actually firewalls.) The main function of a firewall is to limit access to open ports. If you have no open ports the firewall is not limiting access. Some argue from this that since a firewall appears to be superfluous, and since a firewall is additional software and carries the possibility of additional security bugs, that a personal firewall is worse than useless. However there are two additional points to consider. 1) A firewall can block access to ports that are open that you don't know are open. For example, ports opened by malware. 2) A firewall, if very carefully configured, can block unwanted outgoing traffic. For example, a firewall might prevent malware from emailing your email contacts and credit card details to a cracker. However this is not easy. Both of these considerations currently apply much more to infection-prone Windows than Linux. Personally, I use few firewalls these days on Linux boxes, and when I do it is usually for some special effect related to VPNs rather than a classical firewall limiting access to open ports. However I use a lot of firewalls in routers, particularly to make it harder for malware to send spam and to reduce the spread of malware infections between Windows boxen. In a standard Debian workstation with no services listening you really don't need a firewall today. This may change if Linux in the future should suffer from malware like Windows does today. Linux is just as susceptible as Windows to a trojan that tricks people into running a program that mails out all their email contacts, or all strings that match a credit card number regex. If you start a service - Apache or FTP or anything else - then you are responsible for securing it, whether by passwords or certificates or firewalls or otherwise. It's easy to start a service. It's not easy to secure a service. Don't start a service until you know how to secure it, no matter how easy is. This applies to all OS's. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
