Craig Bishop wrote (about Firewall-1):
] The thing I really like is the control over the filtering
] because the majority of it is being done on the bastion host not
] on a router (which gives you ZERO logging capability). With
] the filtering happening at the bastion host there are many more
] options for logging.
Marty Shannon replied:
>I think logging from the router could help catch attacks that don't use
>all the old standard tricks.
Even for standard attacks, it helps to have early warning of probes via
Telnet or Finger or other means. Just rejecting the packet allows the
intruder to continue to try different approaches whereas if failed
connections are logged, other defenses and alerts can be established.