On Sun, 14.06.09 14:01, Bruno Wolff III (bruno@xxxxxxxx) wrote: > > On Sun, Jun 14, 2009 at 20:08:31 +0200, > Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > > > > enabled by default, like we currently do. If an application cannot be > > trusted then it should not be allowed to listen on a port by default > > in the first place. A firewall is an extra layer of security that > > simply hides the actual problem. > > The point of the firewall is to block connections to services that are > only supposed to be connected from trusted locations. This may be things > you are testing, don't intend to be running, don't bind to 127.0.0.1 instead > of 0.0.0.0, even though they are intended to be accessed from the local > machine, or services that you only want to accept connections from a white > list of IP addresses. Aha! The currently existing firewall knows ntohing about "trusted locations". Which is precisely what makes it so pointless. Also, if an application listens on 0.0.0.0 but should actually be listening on 127.0.0.1 then this is a bug, which is simply taped over by running a firewall. This really needs to be fixed in the application. I mean, maybe it is just me, but I actually think that bugs should be fixed where they are, and not by taping over them. Everything what you wrote above simply proves my points... Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list