[TriLUG] host-based dynamic app/port firewall?
Aaron Schrab
aaron at schrab.com
Wed Oct 24 01:24:27 EDT 2012
At 00:57 -0400 24 Oct 2012, Kevin Hunter <hunteke at earlham.edu> wrote:
>Or, since no application would be listening on a port, is it a complete
>non-issue? (For example, if Apache is disabled, and since nothing else
>should be listening on port 80, does it amount to the same thing as if
>there were a firewall rule denying access?)
I really don't see any reason to try to do that type of dynamic firewall
rule. If a port isn't being used, the kernel will already reject
incoming packets to that port. Someone running nmap against the box
would be able to tell the difference between a port being blocked by a
standard firewall drop or reject rule and a port that isn't being
listened to. But the non-firewalled port would likely be seen as more
of a reason to give up.
A firewall for a single machine is generally used either to provide
better access control or to prevent access to services that aren't
intended to be provided. Both of those can be handled by static
firewall rules that allow access to the necessary ports even when
nothing is listening on them.
More information about the TriLUG
mailing list