Firewall

[Jesse Keating]

On 12/06/2010 11:09 AM, Miloslav Trmač wrote:
> Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
>> Right, I always struggle with this.  If you allow services that bind to
>> a port once enabled to have the port open, then what good does it do to
>> have the port closed?
>>
>> I really wonder what real purpose a firewall serves on these machines.
>> Once you get past the "ZOMG WE NEED A FIREWALL"....
> 
> I can see the following primary reasons to have a firewall:
> 
>       * Enforcing a sysadmin-set (system-wide or site-wide) policy.
>         
>         "No, you will not run any bittorrent client on the company's
>         computer".

That's an excellent reason for being able to deploy a firewall.  Not
really sure this is a good reason for having a firewall configured by
default on personal installs.

>         
>       * A "speed bump" that requires an independent action to prevent
>         unintentionally opening up a service.
>         
>         "You have started $server, and it accepts connections from the
>         whole internet.  Here's your chance to think about this again.
>         Do you want to open the port?"

Yet we don't have that kind of UI present.  So instead now we have
people trying to turn on services, having it not work, and spending time
/ energy fiddling with config files before they finally realize it was
the firewall.  Then they just turn it off and grumble.  At least the
other OS gives you a pop up to let some service through, although there
are problems with that too.

>         
>       * ZOMG WE NEED A FIREWALL
>         
>         "I can't use this Linux thing, my bank requires me to run an
>         antivirus and a firewall."

Fair enough, again reasons for being capable of having one, but not
convinced it's needed by default.  (I realize I wasn't making a default
or not argument in my first email)

> 
> Are there other reasons?
> 	Mirek
> 


-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating