Callum Lerwick wrote:
Why do we need a firewall when you can easily prevent services from
being accessed...just stop the service! Don't bind to the port, and
it won't be possible to connect to it.
Yes, the correct thing to do for local security is use something like
selinux to prevent things from binding to interfaces/ports they
shouldn't be binding to in the first place.
But what you usually want to control are the ranges of
source/destination addresses that are permitted.
Using iptables for this is a
completely unsustainable hack. iptables firewalling is for machines that
route packets to other machines.
Unsustainable? But it is what you need to do, not kill functionality
completely.
Unfortunately for some reason network devices are exempt from the
"everything is a file" architecture thus don't recieve the benefit of
the pre-existing filesystem access control architecture.
Yes, this seems like a bizarre design decision in Linux but
realistically, everything needs network access to be useful at all these
days and what you need to control is where on the network something
can/can't connect.
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
