> > Don't forget to harden the underlying OS before installing, a
> > point which the manual makes no mention of. I've seen FW-1s running
> > on a Sun with Sun's shipped sendmail. Hmmm. If you're already
> > running FWTK, you've probably done this, but there are a number of
> > vendors who say 'our OS is good enough for a firewall.'
> > Adam
> I say that this is not necessary. If you set up your filters
> correctly, then Solaris will never see any packets it's not
> supposed to since the filters operate between the ethernet
> driver and the higher protocol stacks. The key is to set up
> the filters correctly; i.e. don't allow any communication to
> the firewall itself.
While this is true, it is good practice to disable those services
that you do not need and to secure those services you do need
as a matter of course. I've a lot of faith in FW-1, but I have more
faith in just shutting the services down if I don't need them.
And if you shut down the services *and* configure your filters correctly,
you can sleep even more soundly at night.