Re: firewall configuring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tim <ignored_mailbox@xxxxxxxxxxxx> writes:

> Allegedly, on or about 14 November 2012, lee sent:
>> They are saying on the web page that it has the advantages of not
>> unloading the modules and being able to change FW configuration
>> without interrupting connections and while keeping the firewall up.
>> I've never had problems with that on Debian
>
> Nor I with Fedora.  I used to change rules while testing things, I don't
> recall connections being broken when I did that.

I haven't done any testing about it --- connections were not interrupted
on Debian, and I can't tell for Fedora yet.

>> A constantly running daemon that can quietly modify firewall rules
>> looks like a nice tool for creating security problems.
>
> Especially if controlled by applications, rather than the user.  It's
> for reasons like that, that I always disallowed UPnP in modem/routers.
> Allowing applications, especially on Windows, to just do what they
> wanted with the firewall negated the concept of having one.

Mmhm --- and with firewall rules, it likely won't show up unless you
actually check and monitor something like the output of 'iptables
--list'.  So upgrading the firewalling on Fedora will mean downgrading
on security, which is counter productive.

>> FTP isn't using random ports.  It's using two ports, and firewalls
>> need to be set up correctly to deal with that.  There's a kernel
>> module for this very purpose.
>
> There's two modes of FTP, active and passive.  With one of them, the
> traditional method of using FTP, the second connection was on a random
> port.  Sometimes you have to use a server that only works that way, and
> it can be a right pain.

Some routers have trouble with it ...

> I haven't used Shorewall, so I can't comment on its behaviour.

With shorewall, I've only been running an ftp server over ssh, and it
just worked with opening the appropriate ssh port.  I couldn't find out
what actually happened in the background and was worried if the
connection on one of the ports won't be encrypted or if everything goes
over the same port in that case ...


-- 
Fedora 17
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux