On 17-Mar-05, 01:01 (CST), Joel Aelwyn <[EMAIL PROTECTED]> wrote: > * The ability for an interface to receive, by default, only traffic that > is destined for that interface. (Non-promiscuous mode; promiscuous mode > availability is a big plus, but not required from the OS point of view)
Linux fails this. Even with forwarding disabled, it will accept packets for an address on interface A via interface B. The rest of your points are valid for a *packet filter* firewall that exists *between* the internet and a LAN (and/or DMZ). For a machine that is directly connected, you can run only the services that you're actually supporting, and use tcpwrappers et. al. to control access to those, if you like. Packet filtering is basically irrelevant. And there are other kinds of firewalls besides packet filters. Steve -- Steve Greenland The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world. -- seen on the net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]