Receive/Transmit

I recently read this post on Ivan Pepelnjak’s blog, where he discusses a pretty intense debate about whether or not firewalls are actually any good. The area where people are claiming they aren’t is in front of servers. One of the main benefits of a firewall is stateful packet inspection – the firewall monitors what connections are taking place and dynamically opens ports to let permitted return traffic through. However one opinion is that since all packets to a server are unsolicited, stateful tracking is useless and you should instead stick with basic routers and access lists (which don’t fall down as easily in the event of  a DoS/DDoS). I suppose this opinion is talking of servers in the classical sense, where they only ever take inbound connections and don’t initiate outbound ones. Its very interesting reading, especially the comments.

For my part I don’t deal with set ups big enough to hit some of the limits they are discussing but it’s certainly thought provoking. Most people’s standard response is that you should have a firewall in front of everything, but after following the discussion I’m now not so sure