On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote:
On 12/06/2010 10:07 AM, Miloslav Trmač wrote:
> Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +0000:
>> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
>>> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
>>>> On most desktop systems firewall is not needed. Many users do not even
>>>> know how to configure it. In fact I disable it in most of my systems,
>>>> because there is no real use for it. So I asked a simple question
>>>> whether there is a need to install iptables by default?
>>>>
>>>> Your answer is not satisfactory for me - because not configured
>>>> firewall has nothing to do with security. In fact, it can only bring
>>>> false sense of security.
>>>
>>> I believe the default is to block incoming connections except for a few
>>> services. This is good if you are running a sloppily written
>>> single-user server that binds to the wildcard address. The Haskell
>>> Scion server fell in this category as of August 2009; I didn't look to
>>> see what a remote user might be able to do to me by connecting to it.
>>> Yes, the proper way to avoid problems is to bind to localhost, but the
>>> firewall can be nice.
>>
>> It would be nice if the firewall automatically followed services that
>> I have enabled and disabled. eg. If I explicitly enable the
>> webserver, it should open the corresponding port(s).
> Just disable the firewall and you'll get pretty much equivalent
> functionality.
> Mirek
>
Right, I always struggle with this. If you allow services that bind to
a port once enabled to have the port open, then what good does it do to
have the port closed?
I really wonder what real purpose a firewall serves on these machines.
Once you get past the "ZOMG WE NEED A FIREWALL"....
I can somewhat see a firewall trying to protect a system from a user
process that got launched without the user being aware and binding to a
high port for nefarious reasons, but how do you balance that with the
legitimate applications that bind to high ports?
The other benefit would be if the user only intended the
service to be accessible to localhost, or a UNIX domain
socket but for some reason screwed up their service's
config & opened it to the world.
Daniel