On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote: > On 12/06/2010 10:07 AM, Miloslav TrmaÄ wrote: > > Richard W.M. Jones pÃÅe v Po 06. 12. 2010 v 18:04 +0000: > >> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: > >>> On Mon, 2010-12-06 at 10:54 +0100, MichaÅ Piotrowski wrote: > >>>> On most desktop systems firewall is not needed. Many users do not even > >>>> know how to configure it. In fact I disable it in most of my systems, > >>>> because there is no real use for it. So I asked a simple question > >>>> whether there is a need to install iptables by default? > >>>> > >>>> Your answer is not satisfactory for me - because not configured > >>>> firewall has nothing to do with security. In fact, it can only bring > >>>> false sense of security. > >>> > >>> I believe the default is to block incoming connections except for a few > >>> services. This is good if you are running a sloppily written > >>> single-user server that binds to the wildcard address. The Haskell > >>> Scion server fell in this category as of August 2009; I didn't look to > >>> see what a remote user might be able to do to me by connecting to it. > >>> Yes, the proper way to avoid problems is to bind to localhost, but the > >>> firewall can be nice. > >> > >> It would be nice if the firewall automatically followed services that > >> I have enabled and disabled. eg. If I explicitly enable the > >> webserver, it should open the corresponding port(s). > > Just disable the firewall and you'll get pretty much equivalent > > functionality. > > Mirek > > > > Right, I always struggle with this. If you allow services that bind to > a port once enabled to have the port open, then what good does it do to > have the port closed? > > I really wonder what real purpose a firewall serves on these machines. > Once you get past the "ZOMG WE NEED A FIREWALL".... > > I can somewhat see a firewall trying to protect a system from a user > process that got launched without the user being aware and binding to a > high port for nefarious reasons, but how do you balance that with the > legitimate applications that bind to high ports? The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config & opened it to the world. Daniel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
