Firewall and user services that needs open ports
Andrew Farris
lordmorgul at gmail.com
Mon Jun 23 17:48:11 UTC 2008
Chuck Anderson wrote:
> On Mon, Jun 23, 2008 at 11:17:25AM -0500, Bruno Wolff III wrote:
>> On Sun, Jun 22, 2008 at 16:53:10 -0400,
>> Chuck Anderson <cra at WPI.EDU> wrote:
>>> Why do we need a firewall when you can easily prevent services from
>>> being accessed...just stop the service! Don't bind to the port, and
>>> it won't be possible to connect to it.
>> Because there are network services that you only want accessible locally.
>
> Right, but the default firewall rules don't do that. By default maybe
> the firewall should be off.
Or maybe the default firewall rules shouldn't be wide open, but should be local
instead... with the understanding that most people who do not know how to
effectively change their firewall ruleset are going to be working in a small
home network.
I wouldn't argue the default firewall rules are perfect, but turning it off
doesn't help anything at all. You say its just as good to turn the services
off... but its not. The firewall is a layer of protection in place if the
service is started unintentionally, or if a breach takes place and an open port
is hijacked for unintended purposes. Yes SELinux handles that, but with the
popularity of turning that off after install (still lots of people seem to do
that) the firewall is still a useful protection.
And the firewall also gives you traffic control and stateful packet inspection
which is valuable in itself; any running service should have SPI protecting it
whether its supposed to be open to the world or just local. Just preventing
ports from getting bound is not the same.
--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
More information about the devel
mailing list