On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote: > On 12/06/2010 10:07 AM, Miloslav TrmaÄ wrote: > > Richard W.M. Jones pÃÅe v Po 06. 12. 2010 v 18:04 +0000: > >> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: > >>> On Mon, 2010-12-06 at 10:54 +0100, MichaÅ Piotrowski wrote: > >>>> On most desktop systems firewall is not needed. Many users do not even > >>>> know how to configure it. In fact I disable it in most of my systems, > >>>> because there is no real use for it. So I asked a simple question > >>>> whether there is a need to install iptables by default? > >>>> > >>>> Your answer is not satisfactory for me - because not configured > >>>> firewall has nothing to do with security. In fact, it can only bring > >>>> false sense of security. > >>> > >>> I believe the default is to block incoming connections except for a few > >>> services. This is good if you are running a sloppily written > >>> single-user server that binds to the wildcard address. The Haskell > >>> Scion server fell in this category as of August 2009; I didn't look to > >>> see what a remote user might be able to do to me by connecting to it. > >>> Yes, the proper way to avoid problems is to bind to localhost, but the > >>> firewall can be nice. > >> > >> It would be nice if the firewall automatically followed services that > >> I have enabled and disabled. eg. If I explicitly enable the > >> webserver, it should open the corresponding port(s). > > Just disable the firewall and you'll get pretty much equivalent > > functionality. > > Mirek > > > > Right, I always struggle with this. If you allow services that bind to > a port once enabled to have the port open, then what good does it do to > have the port closed? > > I really wonder what real purpose a firewall serves on these machines. > Once you get past the "ZOMG WE NEED A FIREWALL".... > > I can somewhat see a firewall trying to protect a system from a user > process that got launched without the user being aware and binding to a > high port for nefarious reasons, but how do you balance that with the > legitimate applications that bind to high ports? There is one other point worth remembering wrt to IPv6 autoconfig. A naive admin might be only be thinking in terms of IPv4 when configuring services on their machine. With IPv6 autoconfig, any Fedora host will automatically obtain globally routable IPv6 address & connectivity when recieving a router advertisement on the local LAN. Thus any services that were bound to the wildcard address, would immediately become reachable over IPv6. This probably isn't a huge problem, since if the admin has already enabled public access over IPv4 they've likely performed suitable security setup for the service. It could be a problem though if they've done something crazy like "use auth scheme X for IPs in range A, and auth scheme Y for IPs in range B" and not considered what auth scheme was requried for other ranges, or non-IPv4 addresses. An ipv6 firewall enabled by default would require admins to take explicit steps to expose the services, even when the machine were automagically obtaining IPv6 connectivity without admin interaction. Regards, Daniel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
