Firewall

Daniel P. Berrange berrange at redhat.com
Mon Dec 6 19:05:53 UTC 2010 

On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote:
> On 12/06/2010 10:07 AM, Miloslav Trmač wrote:
> > Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +0000:
> >> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
> >>> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: 
> >>>> On most desktop systems firewall is not needed. Many users do not even
> >>>> know how to configure it. In fact I disable it in most of my systems,
> >>>> because there is no real use for it. So I asked a simple question
> >>>> whether there is a need to install iptables by default?
> >>>>
> >>>> Your answer is not satisfactory for me - because not configured
> >>>> firewall has nothing to do with security. In fact, it can only bring
> >>>> false sense of security.
> >>>
> >>> I believe the default is to block incoming connections except for a few
> >>> services.  This is good if you are running a sloppily written
> >>> single-user server that binds to the wildcard address.  The Haskell
> >>> Scion server fell in this category as of August 2009; I didn't look to
> >>> see what a remote user might be able to do to me by connecting to it.
> >>> Yes, the proper way to avoid problems is to bind to localhost, but the
> >>> firewall can be nice.
> >>
> >> It would be nice if the firewall automatically followed services that
> >> I have enabled and disabled.  eg. If I explicitly enable the
> >> webserver, it should open the corresponding port(s).
> > Just disable the firewall and you'll get pretty much equivalent
> > functionality.
> > 	Mirek
> > 
> 
> Right, I always struggle with this.  If you allow services that bind to
> a port once enabled to have the port open, then what good does it do to
> have the port closed?
> 
> I really wonder what real purpose a firewall serves on these machines.
> Once you get past the "ZOMG WE NEED A FIREWALL"....
> 
> I can somewhat see a firewall trying to protect a system from a user
> process that got launched without the user being aware and binding to a
> high port for nefarious reasons, but how do you balance that with the
> legitimate applications that bind to high ports?

The other benefit would be if the user only intended the
service to be accessible to localhost, or a UNIX domain
socket but for some reason screwed up their service's
config & opened it to the world.

Daniel

More information about the devel mailing list