I don't need no stinking firewall!

William Waites ww at styx.org
Wed Jan 6 10:38:11 UTC 2010


Le 10-01-05 à 21:29, Dobbins, Roland a écrit :

> Stateful firewalls make absolutely no sense in front of servers,  
> given that by definition, every packet coming into the server is  
> unsolicited (some protocols like ftp work a bit differently in that  
> there're multiple bidirectional/omnidirectional communications  
> sessions, but the key is that the initial connection is always  
> unsolicited).

Most hosts are in some measure servers and clients. Sometimes a "server"
might want to make an outbound connection for a legitimate reason (say
a DNS lookup or zone transfer). Sometimes it might be tricked into doing
so for nefarious reasons (like the old reverse telnet trick of binding
a shell to an outbound tcp connection). A properly configured firewall
will prevent latter.

-w



More information about the NANOG mailing list