firewall configuring

lee lee at yun.yagibdah.de
Wed Nov 14 17:32:12 UTC 2012 

Tim <ignored_mailbox at yahoo.com.au> writes:

> Allegedly, on or about 14 November 2012, lee sent:
>> They are saying on the web page that it has the advantages of not
>> unloading the modules and being able to change FW configuration
>> without interrupting connections and while keeping the firewall up.
>> I've never had problems with that on Debian
>
> Nor I with Fedora.  I used to change rules while testing things, I don't
> recall connections being broken when I did that.

I haven't done any testing about it --- connections were not interrupted
on Debian, and I can't tell for Fedora yet.

>> A constantly running daemon that can quietly modify firewall rules
>> looks like a nice tool for creating security problems.
>
> Especially if controlled by applications, rather than the user.  It's
> for reasons like that, that I always disallowed UPnP in modem/routers.
> Allowing applications, especially on Windows, to just do what they
> wanted with the firewall negated the concept of having one.

Mmhm --- and with firewall rules, it likely won't show up unless you
actually check and monitor something like the output of 'iptables
--list'.  So upgrading the firewalling on Fedora will mean downgrading
on security, which is counter productive.

>> FTP isn't using random ports.  It's using two ports, and firewalls
>> need to be set up correctly to deal with that.  There's a kernel
>> module for this very purpose.
>
> There's two modes of FTP, active and passive.  With one of them, the
> traditional method of using FTP, the second connection was on a random
> port.  Sometimes you have to use a server that only works that way, and
> it can be a right pain.

Some routers have trouble with it ...

> I haven't used Shorewall, so I can't comment on its behaviour.

With shorewall, I've only been running an ftp server over ssh, and it
just worked with opening the appropriate ssh port.  I couldn't find out
what actually happened in the background and was worried if the
connection on one of the ports won't be encrypted or if everything goes
over the same port in that case ...


-- 
Fedora 17

More information about the users mailing list