not listening

If you have NO sex, do you need a condom?

Anyway, depends on your understanding of "firewall".

Having no open ports doesn't necessary mean you are safe.

If there are no open ports, no outside program (read: malware) can initiate a connection to this machine. But if the malware is already loaded on that machine, there is nothing in its way to start a connection from there. You get the picture...

HTH Uli

As there isn't anything effective against that scenario (expect explicit whitelisting with really safe remote hosts), this isn't an argument either.

For some serious applications:

- ingress and egress filtering, spoof filtering

- protocol validation

- protection against accidential misconfiguration

- second line of defense

- saving traffic by not replying to known bogus traffic

But well, there's no explicit need for these.

The ports are not closed, there are just no services listening to them.

I get your point about malware already on the computer. But lets assume there is no malware already there, would it be safe to have open ports with no services listening to them? Regards Frank

Looking at RFC 793, this is exactly what "closed" means.

A port which is open without a passive listener must have an active listener, f.e. a client application, which in turn only communicates with exactly one host, and of course can be exploited over that connection by that host. But this is generally true for every intended connection.

I tend to say yes, it is safe. There might be the risc of getting attacked through commonly known but still unpatched bugs/holes/insecurities of the used networking stack.

Uli

In general: no.

If you want to prevent access to accidentally opened ports (e.g. some application listens on a port without you noticing) you may still want to implement a firewall, though. However, this doesn't necessarily prevent malicious applications from receiving inbound traffic, and has the disadvantage of additional code that may contain exploitable bugs of its own.

cu

Nope, no firewall needed.

But, you would not be able to reach the Internet or any other machine on your LAN. You would be safe though :) LOL! In fact, you could save a lot of money on switches, routers, UTP cables, wireless cards, etcetera. Since you are not listening anyway, you don't need any of those things.

-Frank

o_O

Wow, you sure used a lot words to say "I'm a clueless idiot".

You can do a lot of networking stuff without having your computer listen on any port.

cu

Depending on the definition of firewall, I would agree.

Nonsense.

More nonsense.

Nonsense continued.

/B. Nice

May i sig this?

No you can't.

-Frank

Yes You can.

/B. Nice

I guess that's why AOL has no customers?

I can't? Let's see. Open a web browser and surf to some web pages: hmmm, nothing listening on any port. Open a mail client and read mail: nothing listening. SSH into a remote host: well, well, well, again nothing listening on any port. Fetch some files using The Ugliest Protocol Of All Times (AKA FTP): waddayaknow, still nothing listening on any port at all.

Looks like I can very well.

BTW, you can check that most easily with the tool "netstat".

On second thought: make that "anyone but you".

cu

Wrong.

Nothing listening for *new* connections on any port, but you sure have something listening for returning packets.

Wrong. FTP knows authentication, TFTP doesn't. ;-D

Now would you please read RFC 793 and maybe also the POSIX standard to clearly understand what "listening" means in terms of TCP/IP communication?

No you can't.

-Frank

No.

Would you guys please shut the fuck up until you have at least basic knowledge of what you're talking about? "listening" is a well defined state for a socket and has nothing to do with "returning packets".

cu