Firewall
Adam Williamson
awilliam at redhat.com
Tue Dec 7 02:30:23 UTC 2010
On Mon, 2010-12-06 at 18:07 -0800, Jesse Keating wrote:
> On 12/06/2010 06:04 PM, Adam Williamson wrote:
> > On Mon, 2010-12-06 at 19:05 +0000, Daniel P. Berrange wrote:
> >
> >> The other benefit would be if the user only intended the
> >> service to be accessible to localhost, or a UNIX domain
> >> socket but for some reason screwed up their service's
> >> config & opened it to the world.
> >
> > I use it as a safety net for much this reason. I am not comfortable with
> > 100% guaranteeing that 'helpful' services we install by default like
> > Avahi are not doing things I really wouldn't want them to do when I
> > connect to some open wifi network.
>
> I think this is where the zones work that was talked about will come in
> handy. If you connect to a new unknown network, default to firewalled
> until the user "trusts" the zone. But if you trust the zone, trust it,
> don't get in the way.
yep, indeed. though, of course, implementation can be a pain. Windows
implements something like this, and half the vulnerability announcements
I see seem to be for things that manage to violate this model by
appearing to be from the trusted zone when they're not. (IE used to have
a similar system, which they never managed to get right, so I think
they've either removed it or they just default to every zone being
equally untrusted now).
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list