I don't need no stinking firewall!
ww at styx.org
Wed Jan 6 10:38:11 UTC 2010
Le 10-01-05 à 21:29, Dobbins, Roland a écrit :
> Stateful firewalls make absolutely no sense in front of servers,
> given that by definition, every packet coming into the server is
> unsolicited (some protocols like ftp work a bit differently in that
> there're multiple bidirectional/omnidirectional communications
> sessions, but the key is that the initial connection is always
Most hosts are in some measure servers and clients. Sometimes a "server"
might want to make an outbound connection for a legitimate reason (say
a DNS lookup or zone transfer). Sometimes it might be tricked into doing
so for nefarious reasons (like the old reverse telnet trick of binding
a shell to an outbound tcp connection). A properly configured firewall
will prevent latter.
More information about the NANOG