> If you're using IPTables as a seperate firewall then wouldn't you just > want SSHD listening on the internal interface? > > You're presuming that IPTables isn't protecting a single host. If > you're using it on a desktop or a server filtering on the OUTPUT chain > gives you a huge gain in security. Very true on both points. You should only bind SSH to your secured channels. Even then you'll have to be careful of internal staff/wormed PC's trying to exploit the service. Good audit logging and IDS traps for SSH exploits would be a good start. In the other case of a desktop Linux, you are very true that OUTPUT filtering will become more and more prevailent as desktop Linux matures. I was strictly speaking about gateway/firewalls, not end-user protection. I wouldn't doubt that someone will develop a netfilter module along the lines of zonealarm and other 'personal' firewalls.
