Firewall

[Jesse Keating]

On 12/06/2010 11:34 AM, Miloslav Trmač wrote:
> Jesse Keating píše v Po 06. 12. 2010 v 11:14 -0800:
>> On 12/06/2010 11:09 AM, Miloslav Trmač wrote:
>>> Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
>>>> Right, I always struggle with this.  If you allow services that bind to
>>>> a port once enabled to have the port open, then what good does it do to
>>>> have the port closed?
>>>>
>>>> I really wonder what real purpose a firewall serves on these machines.
>>>> Once you get past the "ZOMG WE NEED A FIREWALL"....
>>>
>>> I can see the following primary reasons to have a firewall:
>>>
>>>       * Enforcing a sysadmin-set (system-wide or site-wide) policy.
>>>         
>>>         "No, you will not run any bittorrent client on the company's
>>>         computer".
>>
>> That's an excellent reason for being able to deploy a firewall.  Not
>> really sure this is a good reason for having a firewall configured by
>> default on personal installs.
> It's not, but we don't really have "personal installs"; any system can
> be a desktop, a server, or both at the same time.

I generally think of somebody going through the graphical installer as
being a personal install.  Kickstarts are different.  And if the person
is a sysadmin installing a server manually via the graphical installer,
I'm sure they can turn on / configure the firewall as needed.

> 
>>>       * A "speed bump" that requires an independent action to prevent
>>>         unintentionally opening up a service.
>>>         
>>>         "You have started $server, and it accepts connections from the
>>>         whole internet.  Here's your chance to think about this again.
>>>         Do you want to open the port?"
>>
>> Yet we don't have that kind of UI present.  So instead now we have
>> people trying to turn on services, having it not work, and spending time
>> / energy fiddling with config files before they finally realize it was
>> the firewall.
> For "server" applications, I don't think this is a big problem:  If the
> user has been able to find and edit httpd.conf, they can also learn
> about the firewall.
> 
> For "desktop" users, what kind of services are we talking about?
> 
> gnome-user-share? Will a "desktop" user know about this concept, or just
> send the data over e-mail or IM?
> 
> SIP? Desktop sharing? An incoming connection won't be able to come
> through the ADSL modem's NAT anyway, so some kind of tunneling or an
> external service broker (which turns the connection from incoming into
> outgoing, enabled by default) is needed.
> 
> It may be just me, but really can't remember a single example when the
> firewall has broken something for me, at least in the last 10 years.

Bittorrent, network games, zero conf come to mind.

> 
>>   Then they just turn it off and grumble.  At least the
>> other OS gives you a pop up to let some service through, although there
>> are problems with that too.
> My experience with the Windows prompts is absolutely horrible - I
> started an application and I was asked "do you want this to bypass the
> firewall" - I know that if I deny the request, the application will
> probably not work, but I'm never told why does the application need such
> access when most other applications on the system do not.  Is it
> legitimate, or is the application spying on me, is this for some kind of
> "remote software disable" functionality?  All that the prompt does is
> make me worry.  (This is probably more of an indication of the low level
> of trust Windows software downloaded form the internet than of the
> quality of the firewall, but this shows that the firewall interface does
> not match the problem space well.)
> 	Mirek
> 

At least Windows gives you a popup.  On our side not only do we not know
why apps are trying to bind to network ports, we don't even know which
ones are trying!  We seem to not trust /anything/ even though we
installed it!

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating