On 12/06/2010 11:34 AM, Miloslav Trmač wrote:
Jesse Keating píše v Po 06. 12. 2010 v 11:14 -0800:
> On 12/06/2010 11:09 AM, Miloslav Trmač wrote:
>> Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
>>> Right, I always struggle with this. If you allow services that bind to
>>> a port once enabled to have the port open, then what good does it do to
>>> have the port closed?
>>>
>>> I really wonder what real purpose a firewall serves on these machines.
>>> Once you get past the "ZOMG WE NEED A FIREWALL"....
>>
>> I can see the following primary reasons to have a firewall:
>>
>> * Enforcing a sysadmin-set (system-wide or site-wide) policy.
>>
>> "No, you will not run any bittorrent client on the company's
>> computer".
>
> That's an excellent reason for being able to deploy a firewall. Not
> really sure this is a good reason for having a firewall configured by
> default on personal installs.
It's not, but we don't really have "personal installs"; any system can
be a desktop, a server, or both at the same time.
I generally think of somebody going through the graphical installer as
being a personal install. Kickstarts are different. And if the person
is a sysadmin installing a server manually via the graphical installer,
I'm sure they can turn on / configure the firewall as needed.
>> * A "speed bump" that requires an independent action to prevent
>> unintentionally opening up a service.
>>
>> "You have started $server, and it accepts connections from the
>> whole internet. Here's your chance to think about this again.
>> Do you want to open the port?"
>
> Yet we don't have that kind of UI present. So instead now we have
> people trying to turn on services, having it not work, and spending time
> / energy fiddling with config files before they finally realize it was
> the firewall.
For "server" applications, I don't think this is a big problem: If the
user has been able to find and edit httpd.conf, they can also learn
about the firewall.
For "desktop" users, what kind of services are we talking about?
gnome-user-share? Will a "desktop" user know about this concept, or just
send the data over e-mail or IM?
SIP? Desktop sharing? An incoming connection won't be able to come
through the ADSL modem's NAT anyway, so some kind of tunneling or an
external service broker (which turns the connection from incoming into
outgoing, enabled by default) is needed.
It may be just me, but really can't remember a single example when the
firewall has broken something for me, at least in the last 10 years.
Bittorrent, network games, zero conf come to mind.
> Then they just turn it off and grumble. At least the
> other OS gives you a pop up to let some service through, although there
> are problems with that too.
My experience with the Windows prompts is absolutely horrible - I
started an application and I was asked "do you want this to bypass the
firewall" - I know that if I deny the request, the application will
probably not work, but I'm never told why does the application need such
access when most other applications on the system do not. Is it
legitimate, or is the application spying on me, is this for some kind of
"remote software disable" functionality? All that the prompt does is
make me worry. (This is probably more of an indication of the low level
of trust Windows software downloaded form the internet than of the
quality of the firewall, but this shows that the firewall interface does
not match the problem space well.)
Mirek
At least Windows gives you a popup. On our side not only do we not know
why apps are trying to bind to network ports, we don't even know which
ones are trying! We seem to not trust /anything/ even though we
installed it!
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca:
http://identi.ca/jkeating