On Wed, 2005-05-11 at 13:05, Juan Carlos Castro y Castro wrote: > > > >Firewalls on hosts that aren't doing routing are just there to cover > >up mistakes. That is, if you don't have a service listening for > >a connection you won't accept connections with or without a firewall. > >If you do have a service running, you will need a hole in the firewall > >to let the associated connections through anyway. Firewalls only > >help if you start services that you don't want to work. > > > > > Or if you want some services to just be available to clients X, Y, and > Z. Normally you can arrange this with the service configuration and/or hosts.allow entries. > Or if you want your machine to be unpingable. I suppose people have their reasons for being network-unsociable, but it makes troubleshooting much harder... > Or if you want to > implement port knocking. That's not something the fedora default provides - and iptables is available if you want to roll your own. > Or if you want to block eventual, > yet-to-be-discovered flood attacks. You can't do much about flood attacks with a host-level firewall. The packets are already there... > I'm sure I forgot lots of other uses. The only one that a default setting can help with is to prevent accessing services that you didn't mean to have running. This can be useful if they are started accidentally or due to bugs or trojans. -- Les Mikesell les@xxxxxxxxxxxxxxxx