Eric H. Christensen wrote: >What are you trying to protect yourself from, exactly? Me? Other than address translation (a necessary evil) I use packet filters mostly to restrain crazy programs that open listening sockets for unknown reasons even though I don't use them for any kind of communication. There was for example some kind of Gnome daemon that popped up and started listening on an RTSP port just because I was playing music from the local disk through the local loudspeakers. Such behaviour is equally crazy on all networks, so I don't need firewall zones for that. Better ask those who think they need "home" and "work" zones what they're trying to achieve. >> This difference may be temporary though. Sooner or later ISPs will be >> forced to start providing IPv6 to customers, and then NAT will no >> longer function as a firewall. > >NAT was never really supposed to be a security feature. That's not its primary purpose, no, but not having a public IP address is in practice much like being behind a really zealous firewall that only allows outgoing connections. People rely on that when they use naïve protocols at home, for example unencrypted or passwordless file and printer sharing protocols. >IPv6 really isn't the problem. I agree. >> link-layer encryption like WPA2 won't protect anything anymore > >What do you think WPA2 protects against? It has never protected >against anything but decoding of intercepted packets across the >wireless link. As far as I know it's also supposed to prevent active attacks, not just passive eavesdropping. The underlying assumption is that your local wired network is protected by a firewall plus physical walls and locked doors, and that you have something insecure on your network that needs that protection. Then when you add a wireless link you have to prevent others from connecting to it and attacking your insecure stuff. That's what WPA2 is for. But if your firewall is just a side effect of your NAT, and IPv6 makes NAT obsolete, then your insecure stuff is no longer protected. >> ...and then >> protocols designed for an isolated friendly network will be equally >> insecure on both wired and wireless networks. > >Then you probably shouldn't be using protocols designed for an >isolated friendly network. If you do then you probably deserve what >happens to you as there is rarely such a thing as an "isolated >friendly network". And I don't use those protocols, but other people apparently do. Why else would there be a need for WPA2 or firewall zones? -- Björn Persson Sent from my computer.
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
