On 12/06/2010 11:34 AM, Miloslav TrmaÄ wrote: > Jesse Keating pÃÅe v Po 06. 12. 2010 v 11:14 -0800: >> On 12/06/2010 11:09 AM, Miloslav TrmaÄ wrote: >>> Jesse Keating pÃÅe v Po 06. 12. 2010 v 11:00 -0800: >>>> Right, I always struggle with this. If you allow services that bind to >>>> a port once enabled to have the port open, then what good does it do to >>>> have the port closed? >>>> >>>> I really wonder what real purpose a firewall serves on these machines. >>>> Once you get past the "ZOMG WE NEED A FIREWALL".... >>> >>> I can see the following primary reasons to have a firewall: >>> >>> * Enforcing a sysadmin-set (system-wide or site-wide) policy. >>> >>> "No, you will not run any bittorrent client on the company's >>> computer". >> >> That's an excellent reason for being able to deploy a firewall. Not >> really sure this is a good reason for having a firewall configured by >> default on personal installs. > It's not, but we don't really have "personal installs"; any system can > be a desktop, a server, or both at the same time. I generally think of somebody going through the graphical installer as being a personal install. Kickstarts are different. And if the person is a sysadmin installing a server manually via the graphical installer, I'm sure they can turn on / configure the firewall as needed. > >>> * A "speed bump" that requires an independent action to prevent >>> unintentionally opening up a service. >>> >>> "You have started $server, and it accepts connections from the >>> whole internet. Here's your chance to think about this again. >>> Do you want to open the port?" >> >> Yet we don't have that kind of UI present. So instead now we have >> people trying to turn on services, having it not work, and spending time >> / energy fiddling with config files before they finally realize it was >> the firewall. > For "server" applications, I don't think this is a big problem: If the > user has been able to find and edit httpd.conf, they can also learn > about the firewall. > > For "desktop" users, what kind of services are we talking about? > > gnome-user-share? Will a "desktop" user know about this concept, or just > send the data over e-mail or IM? > > SIP? Desktop sharing? An incoming connection won't be able to come > through the ADSL modem's NAT anyway, so some kind of tunneling or an > external service broker (which turns the connection from incoming into > outgoing, enabled by default) is needed. > > It may be just me, but really can't remember a single example when the > firewall has broken something for me, at least in the last 10 years. Bittorrent, network games, zero conf come to mind. > >> Then they just turn it off and grumble. At least the >> other OS gives you a pop up to let some service through, although there >> are problems with that too. > My experience with the Windows prompts is absolutely horrible - I > started an application and I was asked "do you want this to bypass the > firewall" - I know that if I deny the request, the application will > probably not work, but I'm never told why does the application need such > access when most other applications on the system do not. Is it > legitimate, or is the application spying on me, is this for some kind of > "remote software disable" functionality? All that the prompt does is > make me worry. (This is probably more of an indication of the low level > of trust Windows software downloaded form the internet than of the > quality of the firewall, but this shows that the firewall interface does > not match the problem space well.) > Mirek > At least Windows gives you a popup. On our side not only do we not know why apps are trying to bind to network ports, we don't even know which ones are trying! We seem to not trust /anything/ even though we installed it! -- Jesse Keating Fedora -- Freedom is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
