On Sat, 27 Jan 2001, Gregory Maxwell wrote:
> On Sat, Jan 27, 2001 at 11:09:27PM +0000, James Sutherland wrote:
> > On Sat, 27 Jan 2001, David Schwartz wrote:
> >
> > >
> > > > Firewalling should be implemented on the hosts, perhaps with centralized
> > > > policy management. In such a situation, there would be no reason to filter
> > > > on funny IP options.
> > >
> > > That's madness. If you have to implement your firewalling on every host,
> > > what do you do when someone wants to run a new OS? Forbid it?
> >
> > Of course. Then you find out about some new problem you want to block, so
> > you spend the next week reconfiguring a dozen different OS firewalling
> > systems. Hrm... I'll stick with a proper firewall, TYVM!
>
> It's this kind of ignorance that makes the internet a less secure and stable
> place.
>
> The network should not be a stateful device. If you need stateful
> firewalling the only place it should be implimented is on the end node. If
> management of that is a problem, then make an interface solve that problem
> insted of breaking the damn network.
I'm not suggesting making the network a stateful device. I'm suggesting
having a firewall. That should NOT be implemented on the end node. Apart
from anything else, the firewall shouldn't run any services: this is a bit
difficult on a server...
The network isn't broken. It works very nicely, TYVM. The firewall will
occasionally need reconfiguring (block out new types of attack, allow new
services, etc.) It's just much easier (and more secure) on a dedicated
firewall than running a load of filtering on every single server.
James.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/