Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Turning off firewalls not recommended' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Turning off firewalls not recommended
Authored by: sben on Apr 03, '03 11:39:00AM

While an interesting hint, and while it may point to the "correct" solution (perhaps the ident port suggestions posted above? perhaps some DNS-related issue?), I can't recommend turning off your firewall altogether.

First, most practically, if you're using a laptop, you will take it somewhere there's no firewall. A friend's house with a naively-configured AirPort? Your office where an old sysadmin forgot to turn off a remote access port after he finished working from home?

Secondly, more fundamentally, good security includes (among many other things) security in depth. Sure, you definitely want a Very Strong primary firewall, but secondary firewalls (e.g. on each individual Mac) will go a long way towards protecting the network if (when) the primary firewall is compromised.

Thirdly, related to the second point, if you're on a corporate network, keep in mind that most security breaches occur from within — either via social engineering, or Trojan horses, or disgruntled employees.



[ Reply to This | # ]
Turning off firewalls not recommended
Authored by: BigMac2 on Apr 03, '03 10:41:09PM

I've been on the internet far before the invention of the hypertext. And it's still astonishing to see how many mis-conception about it. First of all SMTP never use IDENT. Second of all, for all paranoid people, stop all your crap about been hacked behind a NAT. Even if there is some port open on OSX, it can't be access from other computer, and in the case that you have enable some sharing stuff on your computer, the built-in firewall configuration in Jaguar will unfilter this port.



[ Reply to This | # ]
Turning off firewalls not recommended
Authored by: EddEdmondson on Apr 04, '03 05:15:43AM
Of course SMTP never uses ident, they're two different protocols. But that doesn't mean that SMTP servers never make use of ident.

When I posted that first comment I'd never come across an SMTP server that made ident requests, but it seems sendmail for one has the ability to do so. Try using Google (like I did) before dismissing a possible solution out of hand.

And I can't see anywhere that anyone has claimed you can be hacked through NAT without some further compromise - at least that's how I interpret sben's line 'compromise of the primary firewall'

[ Reply to This | # ]