Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Dec 2004 14:06:23 -0500
From:      Chuck Swiger <cswiger@mac.com>
To:        Nik Clayton <nik@FreeBSD.org>
Cc:        "Simon L. Nielsen" <simon@FreeBSD.org>
Subject:   Re: Rework of firewall chapter start
Message-ID:  <41C1DCAF.2010507@mac.com>
In-Reply-To: <20041216115014.GI17158@clan.nothing-going-on.org>
References:  <20041215191024.GA759@zaphod.nitro.dk> <20041216115014.GI17158@clan.nothing-going-on.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Nik Clayton wrote:
> On Wed, Dec 15, 2004 at 08:10:25PM +0100, Simon L. Nielsen wrote:
>>I started to reword and improve the first two sections of the firewall
>>chapter.  Comments (both to the direction of the changes and the
>>actual patch)?
> 
> OK, this is nit-picking, but...

I would not say this is nitpicking, but a question of proper use of jargon.

> I've always understood a firewall to be a combination of one or more
> technologies, implemented in a manner that provides security.

That's pretty good.  The working definition from the firewall-wizards mailing 
list is: "a firewall is a network device which implements a security policy."

> For example, a corporate firewall might consist of a packet filter, a
> mail scanning system, and an HTTP proxy.
> 
> What the chapter (and the patch) are talking about so far is (just) a
> packet filter.  Now a packet filter can, on its own, be the only
> technology used to implement a firewall.  But to my mind the distinction
> is still important.

A software packet filter by itself can indeed be a firewall.

An end-user workstation can run firewall software, but the typical end-user 
workstation itself is not a firewall, because it is not multihomed and is not 
routing/bridging network traffic.  A "real" firewall is a network device which 
has two or more physical interfaces and implements a security policy which 
modifies or prohibits network traffic forbidden by the device's security 
policy from transitting the firewall.

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41C1DCAF.2010507>