<div dir="ltr"><div>Hello,<br></div>Just some clarifications so that we are all on the same page; those don't significantly affect the larger discussion though...<br><div><br><div><div class="gmail_extra"><div class="gmail_quote">
2014-04-15 17:40 GMT+02:00 Andrew Lutomirski <span dir="ltr"><<a href="mailto:luto@mit.edu" target="_blank">luto@mit.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Can someone explain what threat is effectively mitigated by a firewall<br>
on a workstation machine? Here are some bad answers:<br></blockquote><div><snip><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- WebRTC, VOIP, etc. issues? These use NAT traversal techniques that<br>
are specifically designed to prevent your firewall from operating as<br>
intended.<br></blockquote><div><br></div><div>That's imprecise; NAT traversal techniques are designed to allow a <i>specific</i> counterparty through the firewall, not everyone on the Internet like disabling the firewall would do. <br>
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- DLNA / Chromecast / whatever: wouldn't it be a lot more sensible<br>
for these things to be off until specifically requested?</blockquote><div>That would be about equivalent to controlling them only via a firewall. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Who actually<br>
uses a so-called "zone" UI correctly to configure them?</blockquote><div><br></div><div>"Who actually uses any other UI correctly to configure sharing zones?"—nobody because there apparently isn't any. Firewalld has a zone implementation that can be improved upon.<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> How about<br>
having an API where things like DLNA can simply not run until you're<br>
connected to your home network?<br></blockquote><div><br>Firewalld has a zone implementation that can be improved upon.<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Also, having a firewall on exposes you to a huge attack surface in<br>
iptables, and it doesn't protect against attacks targeting the<br>
kernel's IP stack.<br></blockquote><div><br></div><div><i>Nothing</i> will ever protect you against attacks targetting the kernel's IP sack, that's a strawman. And the entire premise of a firewall is that the attack surface of the firewall (iptables in this case) is smaller than the attack premise of applications behind; intuitively it's very likely to be true, and AFAICT it's also been true historically.<br>
</div></div> Mirek<br></div></div></div></div>