[120923] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (William Waites)
Wed Jan 6 06:40:06 2010
From: William Waites <ww@styx.org>
To: "Dobbins, Roland" <rdobbins@arbor.net>
In-Reply-To: <828F4485-EB8C-4D52-A2F9-89A0C06235B6@arbor.net>
Date: Wed, 6 Jan 2010 11:38:11 +0100
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Le 10-01-05 =E0 21:29, Dobbins, Roland a =E9crit :
> Stateful firewalls make absolutely no sense in front of servers, =20
> given that by definition, every packet coming into the server is =20
> unsolicited (some protocols like ftp work a bit differently in that =20=
> there're multiple bidirectional/omnidirectional communications =20
> sessions, but the key is that the initial connection is always =20
> unsolicited).
Most hosts are in some measure servers and clients. Sometimes a "server"
might want to make an outbound connection for a legitimate reason (say
a DNS lookup or zone transfer). Sometimes it might be tricked into doing
so for nefarious reasons (like the old reverse telnet trick of binding
a shell to an outbound tcp connection). A properly configured firewall
will prevent latter.
-w=
