Måns Nilsson wrote:
Firewalls are a patch to broken network application architechture. If your applications would have been properly designed, you would not have the need for firewalls. They are for perimeter defence only anyway.
Right on - if you can't plug a machine directly in to the internet and rely on its own defenses & well written code to keep it safe, why are you plugging it in at all?
The important wording here is "every computer should have one"; indicating that it is the host that protects itself. This said, I do agree that properly written operating systems not even need this. One free Unix-clone I happen to run manages to reach this level of properness; so it is definitely possible.
I agree completely with this - several years ago I expunged Microsoft products from my life with the sole exception of one internet free box for playing Civilization II and my blood pressure dropped dramatically. A little while later I expunged Red Hat in favor of FreeBSD and I experienced a decrease in trouble that was nearly as satisfying as the Windows => Red Hat transition. Now there is a brand new OpenBSD box here. The major release upgrade process is not nearly as nice as FreeBSD, but you have to just love that non executeable stack, ssh privilege separation, and all the other details that are just taken care of by the OBSD crew. Perhaps it'll start making inroads on my FreeBSD installed base.