FreeBSD Mail Archives

Date:      Fri, 18 Apr 2008 13:18:44 -0400
From:      Jon Radel <jon@radel.com>
To:        Paul Schmehl <pauls@utdallas.edu>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: [SSHd] Limiting access from authorized IP's
Message-ID:  <4808D7F4.8000709@radel.com>
In-Reply-To: <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu>
References:  <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com>	<20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu>


[-- Attachment #1 --]
Paul Schmehl wrote:

> I see this statement all the time, and I wonder why.  What does a
> firewall on an individual host accomplish?
> 
> I have maintained publicly available servers for a small hobby domain
> for almost ten years now.  Initially, I bought in to this logic and ran
> a firewall. (At that time we only had one server.)  What it cost me was
> CPU and memory. What it gained me was nothing.  I turned it off.  I have
> never run a firewall on a publicly available host since.
> 
> Firewalls are for preventing access to running services.  By definition,
> if you are running a service, you want it to be accessed.  So firewalls
> are self-defeating or completely useless at the host level **unless**
> you don't know what you're doing.  For an enterprise they make a great
> deal of sense.  No matter what a user inside your network might do, you
> can prevent access by simply not allowing traffic on that port.

Yes, in a world where nothing ever breaks, all system administrators
never make dumb mistakes, and no one ever breaks into your box to
install services that you certainly wouldn't approve of, the
defense-in-depth techniques being discussed here are pretty much a waste
of time.  Alas, alack, my machines prove every couple of years that they
don't live in such a world.  Must be me.  ;-)

> If *everyone* knew how to properly configure and maintain a host, even
> enterprise firewalls would be completely unnecessary.

And if you've got users on your network....  Oh, my, users do the
darnedest things.  As one little example:  My firewall blocks outbound
traffic to port 25 from all those pesky workstations to anywhere other
than the local SMTP servers.  Why?  Makes me worry just a bit less about
some Windows box pumping spam out to the world due to an unfortunate
choice made by a user.  I doubt there's an enterprise in the world where
every user both knows enough about host security *and* is disciplined
enough to apply that knowledge every minute of every day.

But then, I'm the guy who takes the time to put on his seatbelt each and
every time he starts the car, despite never, not once, having to
actually use it in 3 decades of driving.

> Firewalls are too often crutches for people that don't want to learn
> how to properly maintain a host.

Now that, on the other hand, I can completely agree with.

--Jon Radel

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	10��0�\�m����t�������v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��
	
jon@radel.com0�"0
	*�H��
�0�
��t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
��*0(0U0�
jon@radel.com0U�00
	*�H��
����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N��rt�WA�r �sFި��'���^@mDVw\��)����0��0�\�m����t�������v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��
	
jon@radel.com0�"0
	*�H��
�0�
��t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
��*0(0U0�
jon@radel.com0U�00
	*�H��
����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N��rt�WA�r �sFި��'���^@mDVw\��)����0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�d0�`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0	+���0	*�H��
	1	*�H��
0	*�H��
	1
080418171844Z0#	*�H��
	1s�V��"�P���n6��܂e0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0��*�H��
	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0
	*�H��
�BK�r�����-mHK�*0�!_Ї��^����y����;q�#s�
����L4P(iN\�Q��E,k����$Ё����I�r%��9��}�CΙG��7*�	hꑅ-Pk1Ul\Q۴ý{ϸ���V����a���E�0���5x�ϱH��I�fsE�Qω�Ef�t����/�Y��7�z|����_jdoXw����m^8���πu@�>��7�fI�l>�|1#��Œq�49�����R���bj
\�Į�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4808D7F4.8000709>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation