Rework of firewall chapter start
Chuck Swiger
cswiger at mac.com
Thu Dec 16 19:06:34 UTC 2004
Nik Clayton wrote:
> On Wed, Dec 15, 2004 at 08:10:25PM +0100, Simon L. Nielsen wrote:
>>I started to reword and improve the first two sections of the firewall
>>chapter. Comments (both to the direction of the changes and the
>>actual patch)?
>
> OK, this is nit-picking, but...
I would not say this is nitpicking, but a question of proper use of jargon.
> I've always understood a firewall to be a combination of one or more
> technologies, implemented in a manner that provides security.
That's pretty good. The working definition from the firewall-wizards mailing
list is: "a firewall is a network device which implements a security policy."
> For example, a corporate firewall might consist of a packet filter, a
> mail scanning system, and an HTTP proxy.
>
> What the chapter (and the patch) are talking about so far is (just) a
> packet filter. Now a packet filter can, on its own, be the only
> technology used to implement a firewall. But to my mind the distinction
> is still important.
A software packet filter by itself can indeed be a firewall.
An end-user workstation can run firewall software, but the typical end-user
workstation itself is not a firewall, because it is not multihomed and is not
routing/bridging network traffic. A "real" firewall is a network device which
has two or more physical interfaces and implements a security policy which
modifies or prohibits network traffic forbidden by the device's security
policy from transitting the firewall.
--
-Chuck
More information about the freebsd-doc
mailing list