** Reply to message from "John D. Hardin" <[EMAIL PROTECTED]> on
Sun, 1 Oct 2000 08:20:58 -0700 (PDT)
> On Sat, 30 Sep 2000, Jack Bowling wrote:
>
> > However, having said that, I still feel that it is not in my best
> > interests to have the firewall sitting on my production box.
>
> Reverse that thought and you'll be correct: "it is not in my best
> interests to have my production box be the firewall."
>
> It wouldn't hurt a bit to have firewalling set up on your production
> box as well. Think "defense in depth".
Point taken, John. As Bill Staehle mentioned to me offlist, the truly
strong
firewalls are ones which do an in-depth study of what they want through
their interfaces before writing the rulesets, and then writing them to
allow
only those holes to be opened.
I, on the other hand, am playing with what could be called an "adaptive
firewall" wherein I can adjust the firewall rulesets on the fly
depending on my situation. The app Firestarter allows me to do this
with ease. This will make all those who strive to maintain a strong
firewall cringe, but I mostly run into this with apps like ICQ. My
firewall will block ICQ normally but if I start a session with a friend
and want to transfer some files, then I can open the connection if I
trust the individual, and then shut it down again after. Here I am
sacrificing rigidity for ease of use. Some would term this folly :)
And I do advise everybody to set up a firewall. I am startled by the
amount of snooping and scanning going on out there. Last night I even
had one bozo try to get in on port 1 tcpmux as shown in the following
hitlist entry. I did a hostname lookup on the IP.
Port Sent from Service
Time
1 sl-gw11-sea-0-0.sprintlink.net tcpmux Oct
1 23:40
Jack Bowling
Prince George, BC
mailto:[EMAIL PROTECTED]
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
