Oh boy, I'm sorry for the religious flame war / thread I caused on this
list.
Let me add on that I just used the Cisco Product to explain what I had in
mind. Of course, you are all right, things like SYN protection even
security, need and should be done on the clients.
However, in the typical reality setup, you have one or few sensible admins
and hundreds of small machines in the network with people installing and
setting up application on it without a clue (and without permission). The
firewall enlarges (at least to some extent) the security of the network
even under this conditions.
Also, this is for some kind of customers net. They (IMHO: think only) they
have to use products made by a well-known (not necessarily for the quality
of his products) commercial OS-vendor. The firewall is intended to
increase the security of their net to the extent possible under this
conditions.
Anyway, due to the amount of answers, let me express my thanks for the
constructive answers through this channel. Especially setting up a proxy
on the firewall for the incoming connections, was something I did not
think about. Still, the major intention for my original mail just was to
get a confirmation of what I thought: Linux does not do stateful
firewalling.
BTW, this is not 100% right, in this specific setup we are also forced to
use masquerading (you could even consider proxying as a kind of
masquerading too (but even more stateful)). Linux does it, and it is
necessarily stateful.
Michael.
--
Michael Weller: [EMAIL PROTECTED], [EMAIL PROTECTED],
or even [EMAIL PROTECTED] If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
