Henrik Carlqvist wrote:

> Jason Hoss <jehoss@nospam.msn.com> wrote:
>> Henrik Carlqvist wrote:
>>> I wouldn't want to have the firewall functionality on a server that is
>>> supposed to be protected by the firewall. Mostly, because I wouldn't
>>> want any server functionality on the firewall.
>
>> I would have to disagree with you there Henrik. The reason being is that
>> if you subscribe to the 1 firewall protecting the network scheme, then if
>> someone gets past your firewall, you potentially have a lot of
>> "unprotected" systems. It is not a bad idea to have a firewall up on a
>> system even though it is not on the "edge".
>
> Ok, It won't harm to have firewalls also on internal machines. I agree
> with this as my single firewall will only stop attacks from the outside.
> My single firewall will not be able to stop something like a trojan or
> spyware from "phoning home".
>
> However, to protect from attacks from the outside, I still prefer a simple
> firewall with no services like http, telnet or even ssh. As long as the
> firewall hasn't any services there is no way to break into it.
>
> regards Henrik


True, but for the paranoid among us it might not be good enough I do
agree with your angle however.