On Mon, Dec 06, 2010 at 08:09:29PM +0100, Miloslav Trmač wrote:
I can see the following primary reasons to have a firewall:
* Enforcing a sysadmin-set (system-wide or site-wide) policy.
"No, you will not run any bittorrent client on the company's
computer".
* A "speed bump" that requires an independent action to prevent
unintentionally opening up a service.
"You have started $server, and it accepts connections from the
whole internet. Here's your chance to think about this again.
Do you want to open the port?"
The question implies some sort of GUI pop-up. More likely is the incidental
installation of something. Does Gnome still pull in Apache for peer-to-peer
filesharing? Or some other package misconfigured to listen when it
shouldn't. Installing a firewall by default contributes to defense in depth
at relatively little cost.
* ZOMG WE NEED A FIREWALL
"I can't use this Linux thing, my bank requires me to run an
antivirus and a firewall."
And don't underestimate that need -- more places than banks have similar
requirements.
Are there other reasons?
Programs like fail2ban use the packet filter to block aggressive brute-force
attempts. But I don't think any of them require an existing configuration of
some sort -- they just do their own thing on top of whatever is there.
--
Matthew Miller <mattdm(a)mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences