On 8/23/05, Theo de Raadt <[EMAIL PROTECTED]> wrote: > > Secondly, it seems pretty pointless to setup pf on a single host. > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > That is the most ridiculous thing I've heard all day. Lots of people > run servers and must block them, on the same machine. Probably every > single one of us.
I'm not sure I understand what you mean. If you're going to run a server, what's the point of blocking it? Might as well turn it off. > > > Instead of worrying about the > > firewall, which takes up more memory and cpu and all that, just shut > > off services that you don't need and be done with it. If the attacker > > can hurt your OpenBSD machine, then your firewall is vulnerable as > > well, and it won't protect any applications that need open ports > > listening. Turning off services is always much better than turning on > > services (pf) if you need protection. And the way OpenBSD is setup by > > default, nothing is listening except a couple inetd services (which I > > always turn off), and sshd if you said y in install, that's it. > > Anyone who says "I only need to block packets in my firewall" has got > it all wrong. I never said that. PF isn't the only way to block packets, like TCP wrappers or ACL's within the server itself. It seems that adding another layer to the mix takes up more CPU and RAM than needed, since most servers have some sort of ACL list for acceptable hosts, and tcp wrappers does a good job too. Jason
