Ip tables and NAT

[Derek Broughton]

Alan McKinnon wrote:

> I've seen many valid iptables setups running on gateways and routers.
> I've never yet seen such a thing on a workstation, regardless of what
> the user believes. Every case has been much work for no additional
> *real* benefit. Which raises the question: why do it at all then?

imo, you answered that question in another thread.  You said that:

> The far better solution is a tool
> that displays running programs and which ports they have opened.

Since I haven't found such a thing, I count on iptables to prevent running
software from opening ports I don't know about.  If you know of anything
that does what you want, tell us.  It's not good enough just to run netstat
- it needs to be able to tell me when something starts to use a port &
learn and remember what ports should be open _in both directions_.  Like
certain Windows products...

Also, this discussion has focused on whether you need a firewall to stop
people outside your machine accessing open ports - that's only half of a
firewall's job.  It needs to prevent outgoing access.  afaict, the only way
I could prevent that would be with iptables.
-- 
derek