On Thu, 2004-04-22 at 21:23, Jens Knutson wrote: > On Thu, 2004-04-22 at 19:59, Matthew Miller wrote: > > > desktop, that probably means everything is closed. If someone starts a > > > service, the initscript or whatever can open the port. If you don't want a > > > port open, stop the service. > > > > In that case, why even _have_ a firewall? If nothing's listening on a port, > > it's not like anyone can connect to it. > I suppose it's just for the case where you want to listen for connections from the local machine, but not from other machines? (Could use domain sockets for this too) Also perhaps to block non-root users from starting servers on unreserved ports. > but then... if a service is to be made available, you can't have the > firewall turned on for that port, so why have the service if the > firewall will just prevent it from functioning? > Right, you just want to say "these services are available to the network, and nothing else is available" - and have the firewall and which daemons are started up reflect the desired availability. I don't know. I'd be curious to hear about people who do anything complex with firewalling a single system. I know people do really complex things with a system that _is_ a firewall for a whole network. But for a standalone system firewalling itself it seems like you always want "enable the services this system provides, and disable everything else" - which seems like it can be automated if we have knowledge of those services. Havoc
