On 12/06/2010 10:07 AM, Miloslav TrmaÄ wrote: > Richard W.M. Jones pÃÅe v Po 06. 12. 2010 v 18:04 +0000: >> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: >>> On Mon, 2010-12-06 at 10:54 +0100, MichaÅ Piotrowski wrote: >>>> On most desktop systems firewall is not needed. Many users do not even >>>> know how to configure it. In fact I disable it in most of my systems, >>>> because there is no real use for it. So I asked a simple question >>>> whether there is a need to install iptables by default? >>>> >>>> Your answer is not satisfactory for me - because not configured >>>> firewall has nothing to do with security. In fact, it can only bring >>>> false sense of security. >>> >>> I believe the default is to block incoming connections except for a few >>> services. This is good if you are running a sloppily written >>> single-user server that binds to the wildcard address. The Haskell >>> Scion server fell in this category as of August 2009; I didn't look to >>> see what a remote user might be able to do to me by connecting to it. >>> Yes, the proper way to avoid problems is to bind to localhost, but the >>> firewall can be nice. >> >> It would be nice if the firewall automatically followed services that >> I have enabled and disabled. eg. If I explicitly enable the >> webserver, it should open the corresponding port(s). > Just disable the firewall and you'll get pretty much equivalent > functionality. > Mirek > Right, I always struggle with this. If you allow services that bind to a port once enabled to have the port open, then what good does it do to have the port closed? I really wonder what real purpose a firewall serves on these machines. Once you get past the "ZOMG WE NEED A FIREWALL".... I can somewhat see a firewall trying to protect a system from a user process that got launched without the user being aware and binding to a high port for nefarious reasons, but how do you balance that with the legitimate applications that bind to high ports? -- Jesse Keating Fedora -- Freedom is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
