On Mon, 27.10.08 15:25, seth vidal (skvidal@xxxxxxxxxxxxxxxxx) wrote: > If you'd like to have a CV-off with regard to security awareness and > actual experience maintaining and securing systems and networks, I'd be > happy to do so. > > Disabling firewalls on individual systems be they desktops or servers is > a BAD idea. Full stop. That is nonsense. Firewalls on a desktop make no sense, and David is right is that it is a relic and not much more. It's paranoia at best to keep this installed by default. Why are desktop firewalls wrong? 1) they are not dynamic. In times where laptops are constantly moving between networks, with stuff like zeroconf or dynamicly assigned port numbers they would need to adapt dynamically to the circumstances. However, right now they are single system-wide static rule table. 2) They do very very superficial security checking only. They hence give a false sense of security. Also, DNS or DHCP traffic is usually allowed without any inspection. Which makes the whole thing a joke. And then, using stuff like by-ip-range rules is treacherous -- IP addresses can be faked and it times von NAT not unique. 3) They are redundant -- it's just a second line of defense. If you don't trust a service you run then maybe you shouldn't be running it at all. The way we have it right now on the desktop is that the firewall is mostly just a second line of why-the-fuck-is-my-stuff-not-working. Firewalls do make sense -- on routers and on servers -- but not so much on desktops. If you want to make them somewhat sensible on desktops then you'd have to fix issue #1 above. That means, you have to add some way that applications may issue requests to punch holes in the firewall. Which is kind of pointless, since calling listen() should implicitly be just this kind of request. And if it is, then the firewall is entirely redundant. On routers and on servers it makes sense to use by-ip-range rules and a lot of other fancier rules. However, on the desktop -- because they move all the time between networks -- that makes no sense. So basically the desktop firewall boils down to globally allowing or globally not allowing connections to certain ports. And you know what? If that's all what a desktop fw is about, then they are completely made redundant by listen(). Also, let's note that last time I checked Ubuntu as one popular example it didn't install a firewall on the desktop. Instead they simply have a strict policy about which services may listen on a port by default. And that's exactly what we should be doing, too. On Ubuntu only very few services may listen on a port by default, one being Avahi. And those services were of course very closely checked before they were whitelisted. That said, it would make sense to add some option to NM to mark a specific network as "not trusted -- web only" in which case mDNS and everything else would be blocked and only HTTP/DNS/DHCP would be let through. But that be optional -- and dynamic. Without that desktop firewalls are useless and everyone who wants to get work done disables them anyway. So let's disable them by default, too! Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net ICQ# 11060553 http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
