[Dovecot] Firewalls are [essentially] free - WAS: Re: Source patches from Apple
On 12/13/2008, Dave McGuire (mcguire@neurotica.com) wrote:
My network security is handled elsewhere. I too believe in layered security, but my desire to use the right tool for the job is much stronger. My mail server is busy serving mail; my network security is handled by equipment built and optimized for that job.
Firewalls don't add any (perceptible) extra work or overhead for most any system, even old systems with old processors and not much RAM...
Unless, of course, you have an insane number of rules...
It's not like it costs anything extra.... :)
Well...that's the attitude that got us operating systems that need a gigabyte of memory just to boot, and processors clocked at 3GHz that give me the same useful performance as my 4MHz Z80 twenty years ago. ;) Nothing is free.
Your argument is bogus - see above... again, a basic, properly configured firewall has negligible impact on pretty much any systems resources, even ancient ones...
So, yeah, enabling a firewall on a mail server is essentially free, whether talking impact on system resources, or dollar cost.
--
Best regards,
Charles
On Dec 13, 2008, at 12:57 PM, Charles Marcus wrote:
My network security is handled elsewhere. I too believe in layered security, but my desire to use the right tool for the job is much stronger. My mail server is busy serving mail; my network security is handled by equipment built and optimized for that job.
Firewalls don't add any (perceptible) extra work or overhead for most any system, even old systems with old processors and not much RAM...
Perhaps not immediately perceptible in themselves on most systems,
but certainly calculable. And it all adds up. I use modern
processors and gobs of RAM; that's not really relevant...My user-
visible performance is effectively instantaneous, and I want to keep
it that way. I admit that I may be taking a stand as a purist here,
but it really does add up, I've seen it (and corrected it) myself.
It's not like it costs anything extra.... :)
Well...that's the attitude that got us operating systems that need a gigabyte of memory just to boot, and processors clocked at 3GHz that give me the same useful performance as my 4MHz Z80 twenty years ago. ;) Nothing is free.
Your argument is bogus - see above... again, a basic, properly configured firewall has negligible impact on pretty much any systems resources, even ancient ones...
So, yeah, enabling a firewall on a mail server is essentially free, whether talking impact on system resources, or dollar cost.
I am an embedded systems designer as well as a network
administrator. I know very well what each and every instruction a
CPU executes costs. In my embedded design work, I often spend hours
optimizing out a single instruction. This can mean the difference
between needing a $2 CPU vs. a $4 CPU in a high-volume product, or
even, in extreme cases, the success or failure of a product. The
decisions of 80% of network designers today (the clueless ones)
notwithstanding, things no different in the context of this
discussion. Wasting resources leads to poor performance, reliability
problems, and increased operating costs.
Why would I threaten the much-loved near-instantaneous response of
my mail servers by spending resources there that are better spent on
my border routers, whose CPUs sit at 90% idle time unless they're
doing a BGP update?
By way of example, Windows became the bloated, dog-slow pile of
crap that it is today because some idiot said something like "oh,
let's throw this at the CPU, it's free!" Before long, the CPU was
running half of the graphics operations, doing most of the work of
the NIC, rasterizing for dumb printers ("WinPrinters"), doing the DSP
the the modem should be doing ("WinModems"), etc etc. Look at the
resource hog it has become because of this lack of knowledge,
discipline, and good engineering practice. Even the clueless Windows
world is moving to distributed processing (in the form of multi-core
CPUs) to get back some of the performance they've wasted.
Distributed processing within GPUs started even earlier.
Anyone claiming that any of this stuff is free should consider
looking at the assembler output of the compiler when building a
kernel. I have. Trust me, my friend, it's not free.
-Dave-- Dave McGuire Port Charlotte, FL
Your argument is bogus - see above... again, a basic, properly configured firewall has negligible impact on pretty much any systems resources, even ancient ones...
So, yeah, enabling a firewall on a mail server is essentially free, whether talking impact on system resources, or dollar cost.
Why would I threaten the much-loved near-instantaneous response of my mail servers by spending resources there that are better spent on my border routers, whose CPUs sit at 90% idle time unless they're doing a BGP update?
Because even a firewall with a huge list of hosts to block will be faster then handling a ton of bogus logins from bots and script kiddies.
Because a border router can't tell if a connection coming from an IP is bad or not without deep packet inspection, and of course you have the results on the mail server itself. Also blocking all of these bogus requests at the iptables level will stop them from using any further resources.
You're right, it's not 'free', but the costs of doing it are cheaper then having to handle a tons of bogus authentication, and the consequences less dire if they actually manage to find a working login name and password.
If they do find a working login name and password they are going to start hitting the SMTP server with it and then if they do get it to be in relay mode (either through SMTP AUTH or POP-before-SMTP) then you'll end up spewing spam and that will cost you a lot more resources then the firewall ever will.
On 12/14/2008 9:09 AM, Giuliano Gavazzi wrote:
and I'm not interested in running a firewall on my mail server.
Wow.. I can't imagine NOT running a mail server without a firewall...
you put in so many negatives there that the meaning came out the opposite of what you wanted, I suppose.
Two is not 'so many'... the meaning is plain (for anyone who understands english)...
But I think, like Zed, this thread is dead.
--
Best regards,
Charles
On S 14 Dec, 2008, at 17:22 , Charles Marcus wrote:
On 12/14/2008 9:09 AM, Giuliano Gavazzi wrote:
and I'm not interested in running a firewall on my mail server.
Wow.. I can't imagine NOT running a mail server without a
firewall...you put in so many negatives there that the meaning came out the opposite of what you wanted, I suppose.
Two is not 'so many'... the meaning is plain (for anyone who
understands english)...
you make my point, as the negatives were three (can not - NOT - with
no) for anyone understanding english... so the meaning was reversed
(unless you meant otherwise...).
But I think, like Zed, this thread is dead.
uh? who is this Zed? My remark was just a frivolous post mortem then.
Giuliano
On Dec 14, 2008, at 11:57 AM, Giuliano Gavazzi wrote:
and I'm not interested in running a firewall on my mail server.
Wow.. I can't imagine NOT running a mail server without a
firewall...you put in so many negatives there that the meaning came out the opposite of what you wanted, I suppose.
Two is not 'so many'... the meaning is plain (for anyone who
understands english)...you make my point, as the negatives were three (can not - NOT -
with no) for anyone understanding english... so the meaning was
reversed (unless you meant otherwise...).But I think, like Zed, this thread is dead.
uh? who is this Zed? My remark was just a frivolous post mortem then.
It's a reference to a movie entitled Pulp Fiction.
-Dave-- Dave McGuire Port Charlotte, FL
On 12/14/2008, Giuliano Gavazzi (dev+lists@humph.com) wrote:
Wow.. I can't imagine NOT running a mail server without a firewall...
Two is not 'so many'... the meaning is plain (for anyone who understands english)...
you make my point, as the negatives were three (can not - NOT - with no) for anyone understanding english... so the meaning was reversed (unless you meant otherwise...).
Heh... ok, you got me, I forgot about the 'without' being a negative, so you're right...
But I think, like Zed, this thread is dead.
uh? who is this Zed? My remark was just a frivolous post mortem then.
Its a reference to the movie 'Pulp Fiction'...
http://www.youtube.com/watch?v=y7Yp2L6c2KM
--
Best regards,
Charles
On S 14 Dec, 2008, at 19:42 , Charles Marcus wrote:
But I think, like Zed, this thread is dead.
uh? who is this Zed? My remark was just a frivolous post mortem then.
Its a reference to the movie 'Pulp Fiction'...
what? They don't wear no helmet... I must admit I missed that movie!
To make this post less idle, let me say that even without patches
dovecot runs very well on Mac OS X, both server and client (10.5 and
10.4), under launchd. I am glad nevertheless that Apple is taking an
interest in it; maybe one day my setups (exim + courier once, now exim
- dovecot) will be more standard ones.
Giuliano
On Dec 14, 2008, at 11:22 AM, Charles Marcus wrote:
and I'm not interested in running a firewall on my mail server.
Wow.. I can't imagine NOT running a mail server without a
firewall...you put in so many negatives there that the meaning came out the opposite of what you wanted, I suppose.
Two is not 'so many'... the meaning is plain (for anyone who
understands english)...But I think, like Zed, this thread is dead.
Ahh, one of my favorite movies. :)
-Dave-- Dave McGuire Port Charlotte, FL
participants (4)
-
Charles Marcus
-
Dave McGuire
-
Giuliano Gavazzi
-
nuitari-dovecot@nuitari.net