Firewall
Jesse Keating
jkeating at redhat.com
Mon Dec 6 19:48:11 UTC 2010
On 12/06/2010 11:34 AM, Miloslav Trmač wrote:
> Jesse Keating píše v Po 06. 12. 2010 v 11:14 -0800:
>> On 12/06/2010 11:09 AM, Miloslav Trmač wrote:
>>> Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
>>>> Right, I always struggle with this. If you allow services that bind to
>>>> a port once enabled to have the port open, then what good does it do to
>>>> have the port closed?
>>>>
>>>> I really wonder what real purpose a firewall serves on these machines.
>>>> Once you get past the "ZOMG WE NEED A FIREWALL"....
>>>
>>> I can see the following primary reasons to have a firewall:
>>>
>>> * Enforcing a sysadmin-set (system-wide or site-wide) policy.
>>>
>>> "No, you will not run any bittorrent client on the company's
>>> computer".
>>
>> That's an excellent reason for being able to deploy a firewall. Not
>> really sure this is a good reason for having a firewall configured by
>> default on personal installs.
> It's not, but we don't really have "personal installs"; any system can
> be a desktop, a server, or both at the same time.
I generally think of somebody going through the graphical installer as
being a personal install. Kickstarts are different. And if the person
is a sysadmin installing a server manually via the graphical installer,
I'm sure they can turn on / configure the firewall as needed.
>
>>> * A "speed bump" that requires an independent action to prevent
>>> unintentionally opening up a service.
>>>
>>> "You have started $server, and it accepts connections from the
>>> whole internet. Here's your chance to think about this again.
>>> Do you want to open the port?"
>>
>> Yet we don't have that kind of UI present. So instead now we have
>> people trying to turn on services, having it not work, and spending time
>> / energy fiddling with config files before they finally realize it was
>> the firewall.
> For "server" applications, I don't think this is a big problem: If the
> user has been able to find and edit httpd.conf, they can also learn
> about the firewall.
>
> For "desktop" users, what kind of services are we talking about?
>
> gnome-user-share? Will a "desktop" user know about this concept, or just
> send the data over e-mail or IM?
>
> SIP? Desktop sharing? An incoming connection won't be able to come
> through the ADSL modem's NAT anyway, so some kind of tunneling or an
> external service broker (which turns the connection from incoming into
> outgoing, enabled by default) is needed.
>
> It may be just me, but really can't remember a single example when the
> firewall has broken something for me, at least in the last 10 years.
Bittorrent, network games, zero conf come to mind.
>
>> Then they just turn it off and grumble. At least the
>> other OS gives you a pop up to let some service through, although there
>> are problems with that too.
> My experience with the Windows prompts is absolutely horrible - I
> started an application and I was asked "do you want this to bypass the
> firewall" - I know that if I deny the request, the application will
> probably not work, but I'm never told why does the application need such
> access when most other applications on the system do not. Is it
> legitimate, or is the application spying on me, is this for some kind of
> "remote software disable" functionality? All that the prompt does is
> make me worry. (This is probably more of an indication of the low level
> of trust Windows software downloaded form the internet than of the
> quality of the firewall, but this shows that the firewall interface does
> not match the problem space well.)
> Mirek
>
At least Windows gives you a popup. On our side not only do we not know
why apps are trying to bind to network ports, we don't even know which
ones are trying! We seem to not trust /anything/ even though we
installed it!
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
More information about the devel
mailing list