Jesse Keating pÃÅe v Po 06. 12. 2010 v 11:14 -0800: > On 12/06/2010 11:09 AM, Miloslav TrmaÄ wrote: > > Jesse Keating pÃÅe v Po 06. 12. 2010 v 11:00 -0800: > >> Right, I always struggle with this. If you allow services that bind to > >> a port once enabled to have the port open, then what good does it do to > >> have the port closed? > >> > >> I really wonder what real purpose a firewall serves on these machines. > >> Once you get past the "ZOMG WE NEED A FIREWALL".... > > > > I can see the following primary reasons to have a firewall: > > > > * Enforcing a sysadmin-set (system-wide or site-wide) policy. > > > > "No, you will not run any bittorrent client on the company's > > computer". > > That's an excellent reason for being able to deploy a firewall. Not > really sure this is a good reason for having a firewall configured by > default on personal installs. It's not, but we don't really have "personal installs"; any system can be a desktop, a server, or both at the same time. > > * A "speed bump" that requires an independent action to prevent > > unintentionally opening up a service. > > > > "You have started $server, and it accepts connections from the > > whole internet. Here's your chance to think about this again. > > Do you want to open the port?" > > Yet we don't have that kind of UI present. So instead now we have > people trying to turn on services, having it not work, and spending time > / energy fiddling with config files before they finally realize it was > the firewall. For "server" applications, I don't think this is a big problem: If the user has been able to find and edit httpd.conf, they can also learn about the firewall. For "desktop" users, what kind of services are we talking about? gnome-user-share? Will a "desktop" user know about this concept, or just send the data over e-mail or IM? SIP? Desktop sharing? An incoming connection won't be able to come through the ADSL modem's NAT anyway, so some kind of tunneling or an external service broker (which turns the connection from incoming into outgoing, enabled by default) is needed. It may be just me, but really can't remember a single example when the firewall has broken something for me, at least in the last 10 years. > Then they just turn it off and grumble. At least the > other OS gives you a pop up to let some service through, although there > are problems with that too. My experience with the Windows prompts is absolutely horrible - I started an application and I was asked "do you want this to bypass the firewall" - I know that if I deny the request, the application will probably not work, but I'm never told why does the application need such access when most other applications on the system do not. Is it legitimate, or is the application spying on me, is this for some kind of "remote software disable" functionality? All that the prompt does is make me worry. (This is probably more of an indication of the low level of trust Windows software downloaded form the internet than of the quality of the firewall, but this shows that the firewall interface does not match the problem space well.) Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
