In message <4058AEF2.2060109@he.iki.fi>, Petri Helenius writes:
No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level.
No. Quite apart from the fact that you mean "authorized", not "authenticated", the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. Put in a NANOG0-friendly way, they're a scalable security mechanism that can *help* defend you. Think of the endorsement on most tubes of (American) toothpaste: ... has been shown to be an effective decay-preventive dentifrice that can be of significant value when used as directed in a conscientiously applied program of oral hygiene and regular professional care. If all you want to do is say "no" to all incoming connections on a single machine, you don't need a separate box labeled "firewall" -- assuming, of course, that your host is properly configured. Most systems aren't configured that way; worse yet, it takes a lot of knowledge to understand how to block things, and when it's ok to do so. (It's an amusing exercise to run ZoneAlarm on a new, out-of-the box Windows machine and see how many different programs think they need to talk to the network, or (worse yet) act as servers.) But it's a lot of work to configure a machine to be that safe, and if you have a hundred or a thousand of them you can't do it; entropy will open up new holes -- that is, open up new sockets for buggy applications -- faster than you can close them down. Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. --Steve Bellovin, http://www.research.att.com/~smb