In message <[EMAIL PROTECTED]>, Eric Brandwine writes:
> >Firewalls are good things for general purpose networks. When you've >got a bunch of clueless employees, all using Windows shares, NFS, and >all sorts of nasty protocols, a firewall is best practice. Rather >than educate every single one of them as to the security implications >of their actions, just insulate them, and do what you can behind the >firewall. > >When you've got a deployed server, run by clueful people, dedicated to >a single task, firewalls are not the way to go. You've got a DNS >server. What are you going to do with a firewall? Permit tcp/53 and >udp/53 from the appropriate net blocks. Where's the protection? Turn >off unneeded services, chose a resilient and flame tested daemon, and >watch the patchlist for it. Precisely. You *may* need a packet filter to block things like SNMP (to name a recent case in point), but a general-purpose firewall is generally the wrong solution for appliance computers. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com