Re: Firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/06/2010 10:07 AM, Miloslav TrmaÄ wrote:
> Richard W.M. Jones pÃÅe v Po 06. 12. 2010 v 18:04 +0000:
>> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
>>> On Mon, 2010-12-06 at 10:54 +0100, MichaÅ Piotrowski wrote: 
>>>> On most desktop systems firewall is not needed. Many users do not even
>>>> know how to configure it. In fact I disable it in most of my systems,
>>>> because there is no real use for it. So I asked a simple question
>>>> whether there is a need to install iptables by default?
>>>>
>>>> Your answer is not satisfactory for me - because not configured
>>>> firewall has nothing to do with security. In fact, it can only bring
>>>> false sense of security.
>>>
>>> I believe the default is to block incoming connections except for a few
>>> services.  This is good if you are running a sloppily written
>>> single-user server that binds to the wildcard address.  The Haskell
>>> Scion server fell in this category as of August 2009; I didn't look to
>>> see what a remote user might be able to do to me by connecting to it.
>>> Yes, the proper way to avoid problems is to bind to localhost, but the
>>> firewall can be nice.
>>
>> It would be nice if the firewall automatically followed services that
>> I have enabled and disabled.  eg. If I explicitly enable the
>> webserver, it should open the corresponding port(s).
> Just disable the firewall and you'll get pretty much equivalent
> functionality.
> 	Mirek
> 

Right, I always struggle with this.  If you allow services that bind to
a port once enabled to have the port open, then what good does it do to
have the port closed?

I really wonder what real purpose a firewall serves on these machines.
Once you get past the "ZOMG WE NEED A FIREWALL"....

I can somewhat see a firewall trying to protect a system from a user
process that got launched without the user being aware and binding to a
high port for nefarious reasons, but how do you balance that with the
legitimate applications that bind to high ports?

-- 
Jesse Keating
Fedora -- Freedom is a feature!
identi.ca: http://identi.ca/jkeating
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux