What I HATE about F11
Nicolas Mailhot
nicolas.mailhot at laposte.net
Tue Jun 16 08:48:36 UTC 2009
Le Lun 15 juin 2009 20:47, Casey Dahlin a écrit :
>
> On 06/14/2009 02:08 PM, Lennart Poettering wrote:
>> Gah. Allowing packages to pierce the firewall just makes the
>> firewall
>> redundant.
>>
>
> Not true. Allowing any listening program to poke a hole in the
> firewall would make it redundant. Packages are different. They're
> signed, vetted things corresponding to real functionality the user
> wants.
>
> The problem that does arise is: just because apache is installed
> doesn't mean its running. Really, init scripts should open the
> firewall ports they need when their service comes up (and I'll propose
> something for upstart 1.0 later today to make that make more sense.)
Very often software makes it a pain to define the networks/interfaces
to talk on (in the case of multiple Internet/Lan/VPN attachement) and
right now it's safer to firewall the Internet-facing ports by default
instead of hunting down all the apps that want to send there (and we
grow new ones every month). Most packages listen/broadcast by default
everywhere, they're *not* safe to allow poking the firewall as-is.
The only system likely to work is for software to tell a trusted app
"I want access to X Y" and only allow this app to manipulate firewall
configuration after an admin vetted it (accept all, refuse all, or
only part of it). And then if part of it is refused apps should
reconfigure themselves to honour the admin decision.
--
Nicolas Mailhot
More information about the devel
mailing list