From owner-freebsd-doc@FreeBSD.ORG Thu Dec 16 19:06:34 2004 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 288D416A4CE; Thu, 16 Dec 2004 19:06:34 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9749443D39; Thu, 16 Dec 2004 19:06:33 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-207-47.ny325.east.verizon.net [68.160.207.47]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id iBGJ6Rxj019225 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Dec 2004 14:06:28 -0500 (EST) Message-ID: <41C1DCAF.2010507@mac.com> Date: Thu, 16 Dec 2004 14:06:23 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Nik Clayton References: <20041215191024.GA759@zaphod.nitro.dk> <20041216115014.GI17158@clan.nothing-going-on.org> In-Reply-To: <20041216115014.GI17158@clan.nothing-going-on.org> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.8 required=5.5 tests=RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pi.codefab.com cc: freebsd-doc@FreeBSD.org cc: "Simon L. Nielsen" Subject: Re: Rework of firewall chapter start X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 19:06:34 -0000 Nik Clayton wrote: > On Wed, Dec 15, 2004 at 08:10:25PM +0100, Simon L. Nielsen wrote: >>I started to reword and improve the first two sections of the firewall >>chapter. Comments (both to the direction of the changes and the >>actual patch)? > > OK, this is nit-picking, but... I would not say this is nitpicking, but a question of proper use of jargon. > I've always understood a firewall to be a combination of one or more > technologies, implemented in a manner that provides security. That's pretty good. The working definition from the firewall-wizards mailing list is: "a firewall is a network device which implements a security policy." > For example, a corporate firewall might consist of a packet filter, a > mail scanning system, and an HTTP proxy. > > What the chapter (and the patch) are talking about so far is (just) a > packet filter. Now a packet filter can, on its own, be the only > technology used to implement a firewall. But to my mind the distinction > is still important. A software packet filter by itself can indeed be a firewall. An end-user workstation can run firewall software, but the typical end-user workstation itself is not a firewall, because it is not multihomed and is not routing/bridging network traffic. A "real" firewall is a network device which has two or more physical interfaces and implements a security policy which modifies or prohibits network traffic forbidden by the device's security policy from transitting the firewall. -- -Chuck