Re: Firewalls, are they really necessary?
From: Walter Mautner (leafnews.20.eatallspam_at_spamgourmet.com)
Date: Wed, 22 Dec 2004 22:16:10 +0100
Fao, Sean wrote:
> RC wrote:
>> You assume too much. Dont' think of a firewall as just INPUT. OUTPUT
>> is at least as important - ie smbd. Do you follow?
Bad example. You might bloch incoming (requests to port 137:139,445) as well
as outgoing - to the inet interface.
>> Of course a firewall is important but connecting to a pop3 port doesn't
>> jack. Why run a local mail server at all, with or without a firewall?
Have it here for my own purpose. Hotwayd allows connecting pop3 clients or
local postfix to a hotmail account. At least it will work till spring, when
Microsoft again announced to change protocols ...
Of course, that mail server is only for "local" purpose.
>> If it's running,
>> it's running and will be accessible with or without a firewall. That was
>> my point. That makes the telnetter's example moot.
There is another (as I posted) method to resctict access to it to the
internal network. A firewall is just another security layer, and it should
never keep people from thinking.
> I think we're simply misunderstanding each other and I apologize for
> getting defensive.
> I agree, a POP3 server is *probably* useless if it's not intended to be
> exposed to the outside world. However, in the rare circumstance that aq
> required a POP3 server (learning experience?), a firewall would
> obviously provide another level of protection to ensure that no unwanted
> visitors could read his mail.
Yes, butz no "learning experience" intended - hotwayd (google for it) is
just a means to redirect webmail to pop3.
> You call the telnetter's example "moot" because the service shouldn't
> have been running in the first place. Agreed, it probably shouldn't
> have been running; but, it was (and maybe it was supposed to be), and aq
> now walks away with a better understanding of what a firewall can
> protect against. If they were only good for blocking services that
> shouldn't be running, we'd never have a need for them.
That service is fine - but restriction to the local network or even
localhost makes the difference :).
-- Longhorn error#4711: TCPA / NGSCP VIOLATION: Microsoft optical mouse detected penguin patterns on mousepad. Partition scan in progress to remove offending incompatible products. Reactivate your MS software. Linux woodpecker.homnet.at 2.6.9-mm1[LinuxCounter#295241]