On Thu, 2004-04-22 at 19:24, Havoc Pennington wrote:
On Thu, 2004-04-22 at 16:50, jludwig wrote:
> This would also be what I would like to see. For example, every time I
> upgrade or load a system I get the "out of the box" firewall rules
> without any other option. This is fine for average desktops and newbees,
> but causes my extra configuration work.
I don't think more installer options will happen - everyone is very in
favor of kicking that stuff to firstboot or to config tools post-boot.
I'd like to see the firewall screen removed from anaconda. The
installer would then disallow all incoming traffic by default with the
possible exception of ssh. Then move the firewall screen to firstboot
so that if the system is ever compromised, it's because the user
specifically chose to open something up. We should try to be secure by
default.
Having said that, I think we could improve the firewall screen a bit.
Users moving over from Windows have no idea what "SSH" or "SMTP"
connections are or why they would want to enable them. Other services
in the list like "Telnet" should probably be removed since no one in
their right mind should use telnet anymore.
Of course, kickstart will still be there for people who have highly
customized configurations and need to roll them out to multiple
machines.
Cheers,
Brent
If you want to avoid manually configuring systems, what you want is
kickstart.
For the firewall example specifically, there's no real reason firewalls
on most systems should even _require_ configuration - we know what
services are up, we should open those ports and close the other ports.
On a desktop, that probably means everything is closed. If someone
starts a service, the initscript or whatever can open the port.
If you don't want a port open, stop the service.
Yes, some services can serve both local and remote users. Let those two
aspects be started and stopped separately. "[ ] Receive print jobs from
this machine" "[ ] Receive print jobs from other machines" - if both are
unchecked, no print daemon starts.
But of course leave the config file, so if you really want some other
firewall config, or are setting up a machine whose purpose is to be a
firewall, rather than to be firewalled, you can create that config.
And there might be a GUI for creating a custom firewall, covering common
use-cases for that.
Havoc