[PLUG] VNC, SSH, and iptables [was: Transfering mozilla mail and newsgroup settings fromlinux to windows]
William Kenworthy
billk at iinet.net.au
Mon May 10 07:31:33 WST 2004
Hi James, you make some points (many of which others made on other lists
so you are not alone), however I think you missed the most important one
in my post that overides many of your comments. Defence in depth -
everyone makes mistakes (even configuring the firewall, but making a
mistake in two complimentary places is much less likely), a firewall is
an imperfect last ditch defence and attempt at control. Maybe not
perfect, but better than nothing!
I also have iptables on a desktop in mind with my comments, windows
their built in firewalls are another problem altogether (I do like
zone-alarm however) - the need for a (usually supplementary) firewall
there is self-evident. Personally I would always use a firewall on a
linux server facing the internet for insurance, but I can see that on a
very small server install running a very limited set of services it
would not be all that useful.
Lastly I do not advocate inexperienced people "roll their own" iptables
scripts (unless they are "learning" and take the necessary precautions)
- and that includes otherwise skilled linux users. Start with monmotha,
shorewall or a few other well known, tested implementations and go from
there.
You make the decision, you takes the risk! I think of a firewall as
insurance against something going drastically wrong - effectively I wont
rely on it alone, but sometimes I am glad its there.
BillK
On Sun, 2004-05-09 at 22:42, James Devenish wrote:
> Hi,
>
...
>
> Preface: I realise that having a firewall for a home network is useful,
> as it allows you to have insecure sharing on individual computers while
> maintaining a level of overall security (with regards to exposure of
> services to the public Internet, that is). I accept this as a genuine
> and undisputable application of "firewalling" because the firewall is
> consciously established on a gateway device, rather than running as an
> personal service on individual devices.
....
More information about the plug
mailing list