Firewall

Tue Dec 7 10:13:35 UTC 2010

On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote:
> On 12/06/2010 10:07 AM, Miloslav Trmač wrote:
> > Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +0000:
> >> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
> >>> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: 
> >>>> On most desktop systems firewall is not needed. Many users do not even
> >>>> know how to configure it. In fact I disable it in most of my systems,
> >>>> because there is no real use for it. So I asked a simple question
> >>>> whether there is a need to install iptables by default?
> >>>>
> >>>> Your answer is not satisfactory for me - because not configured
> >>>> firewall has nothing to do with security. In fact, it can only bring
> >>>> false sense of security.
> >>>
> >>> I believe the default is to block incoming connections except for a few
> >>> services.  This is good if you are running a sloppily written
> >>> single-user server that binds to the wildcard address.  The Haskell
> >>> Scion server fell in this category as of August 2009; I didn't look to
> >>> see what a remote user might be able to do to me by connecting to it.
> >>> Yes, the proper way to avoid problems is to bind to localhost, but the
> >>> firewall can be nice.
> >>
> >> It would be nice if the firewall automatically followed services that
> >> I have enabled and disabled.  eg. If I explicitly enable the
> >> webserver, it should open the corresponding port(s).
> > Just disable the firewall and you'll get pretty much equivalent
> > functionality.
> > 	Mirek
> > 
> 
> Right, I always struggle with this.  If you allow services that bind to
> a port once enabled to have the port open, then what good does it do to
> have the port closed?
> 
> I really wonder what real purpose a firewall serves on these machines.
> Once you get past the "ZOMG WE NEED A FIREWALL"....
> 
> I can somewhat see a firewall trying to protect a system from a user
> process that got launched without the user being aware and binding to a
> high port for nefarious reasons, but how do you balance that with the
> legitimate applications that bind to high ports?

There is one other point worth remembering wrt to IPv6 autoconfig.
A naive admin might be only be thinking in terms of IPv4 when
configuring services on their machine. With IPv6 autoconfig, any
Fedora host will automatically obtain globally routable IPv6
address & connectivity when recieving a router advertisement on
the local LAN. Thus any services that were bound to the wildcard
address, would immediately become reachable over IPv6. This
probably isn't a huge problem, since if the admin has already
enabled public access over IPv4 they've likely performed suitable
security setup for the service. It could be a problem though if
they've done something crazy like "use auth scheme X for IPs in
range A, and auth scheme Y for IPs in range B" and not considered
what auth scheme was requried for other ranges, or non-IPv4 addresses.

An ipv6 firewall enabled by default would require admins to take
explicit steps to expose the services, even when the machine were
automagically obtaining IPv6 connectivity without admin interaction.

Regards,
Daniel