> While Craig is correct that a properly configured set of
> packet filters will protect you from some things, I don't see how a
> filter will protect sendmail, which is supposed to get packets from
> all over the net.
If sendmail *on the firewall* never sees a packet, what's the risk?
I run sendmail on a different machine on my DMZ, not the firewall.
And, yes, it is at risk though contained.
> Further, if you make a mistake in your filter rules, or if
> FW-1's rule compiler has a bug, then having a hardened OS underlying
> is a useful layer of additional defense.
No argument here. I removed lot's of stuff from my firewall even
with FW-1. But if anyone doesn't think they can trust FW-1 (i.e.
any purchased firewall) then they need to go write their own.
But I bought one because I have a life!
> Craig wrote:
> | > Adam Shostack wrote
> | > Don't forget to harden the underlying OS before installing, a
> | > point which the manual makes no mention of. I've seen FW-1s running
> | > on a Sun with Sun's shipped sendmail. Hmmm. If you're already
> | > running FWTK, you've probably done this, but there are a number of
> | > vendors who say 'our OS is good enough for a firewall.'
> | I say that this is not necessary. If you set up your filters
> | correctly, then Solaris will never see any packets it's not
> | supposed to since the filters operate between the ethernet
> | driver and the higher protocol stacks. The key is to set up
> | the filters correctly; i.e. don't allow any communication to
> | the firewall itself.
> | Craig
> "It is seldom that liberty of any kind is lost all at once."