On Sat, Apr 06, 2002 at 03:32:05PM -0500, Eric Wirt wrote: > > 2) When a program needs traversal through the firewall, it will ask the > gateway for X number of ports to specifically be opened and forwarded to the > inside machine. The gateway will report to the calling program (Messenger) > which ports it has opened/forwarded, and the calling program takes it from > there. When the program is done with the ports it is supposed to ask the > gateway to close them.
Does this not scare the bujeezus out of anyone else but me? Netfilter/iptables' purpose is to protect both the box it is running on but (most) frequently also a network of machine behind it. Why do we (security administrators) put a firewall (packet filter at minimum) in front of a whole network of machines? Because it's much easier (and therefore safer for the security administrator) to administer one access point rather than having to go bolt down every machine and hope it stays bolted down. Now we are giving the machines that we know are not secure -- and don't run a secure OS which is produced by a company who has a long running track record of implementing bad/minimal security at best -- the ability to administer their own security policies by adding and removing rules from the firewall via UPnP. Do we really want the inmates running the asylum? b. -- Brian J. Murrell
msg00573/pgp00000.pgp
Description: PGP signature
