On Wed, Jul 4, 2012 at 6:04 PM, Brian <a...@cityscape.co.uk> wrote: > A commonly used phrase - military in origin, I imagine. One day I must > investigate how a firewall can protect my mail server. Until then I will > just continue to accept connections from anywhere.
I will give you an example of this. Your mailserver runs, say, roundcube or some other webmail. You want port 80 (or 443) available on your local LAN, but not to the internet. A perimeter firewall could block access from outside your perimeter. Just as an example. Or for that matter, you could insert imap/imaps, pop3/pop3s, etc. >> get a piece of bad software that opens a vulnerability? And yes, that > > I'd rather you were specific here about the sort of vulnerability in the > service you are thinking about but, talking in general and using Debian, > the fix would become available, you would download it and move on. No > problem, no fuss, no firewall needed. Using the above example, suppose your mail server had to run sendmail (I know, a stretch nowadays, but in the not-to-distant past, a distinct possibility). Sendmail had a tradition of having more holes than Swiss cheese, and vulnerabilities were fixed almost weekly. When a new version was uploaded to the repos, I guarantee not all of the holes had been fixed. This is the concept of the 0day vulnerability. An unknown, unpublished vulnerability. A firewall *might* help blunt a possible attack or block an attack vector. But it is a game of chances. As I have told people before, "Security times usability is a constant: The only secure system is one that is unplugged from the network, powered off, packed in concrete, and fired into the sun...But at that point, it isn't very usable, is it?" --b > [Snip] > >> So a piece of bad software gets introduced into the repos. It could >> happen...And having a firewall in place (an external firewall would >> have the advantage of not being able to be turned off by said >> malware). > > A firewall will not give protection from a software defect in a running > service. Not unless you lock the service down so much it becomes > useless. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120704220425.GB28931@desktop > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cakmzw+ya3pfon4robbx2jgtdzgm52-_jktngaqzr6lowcaf...@mail.gmail.com
