On Tuesday 27 February 2007 03:21, Grant wrote: > > > > Anyway, a closed port remains closed whether a firewall is running, > > > > or not. > > > > > > I thought the firewall specified which ports to open/close. > > > > Not quite, but we might be running into terminology here. > > > > The app that is listening a port opens the port. This has nothing to do > > with the firewall. The firewall is simply an extra level of checks > > applied before the packet is allowed thorugh the firewall to be > > received by the kernel, in the same way that a bouncer allows or > > disallows the public to enter a club. If the bouncer is off sick, the > > public gets to walk through the door up to reception, assuming the club > > is open for business. > > > > What Mick was referring to is that if a service is running, it's still > > going to listen on it's port whether iptables is running or not. So, in > > the absense of iptables (i.e. your bouncer is off sick), you hopefully > > have a decent password strategy in use by whatever is actually > > listening on the box. > > So as far as incoming connections are concerned, if there are no > listening applications, there is no need for a firewall?
As I understand it, no. However, a firewall is there to offer additional functionality and protection by logging packets, filtering the amount of incoming packets, proactively blocking some of these from coming in, etc. After all you would be less inclined to allow a machine which has been scanning your server ports for the last 10 minutes to try to authenticate on a legitimate service port, right? http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml -- Regards, Mick
pgpgQ6WInVwlA.pgp
Description: PGP signature
