About F19 Firewall
Björn Persson
bjorn at xn--rombobjrn-67a.se
Sat Sep 28 11:34:48 UTC 2013
Eric H. Christensen wrote:
>What are you trying to protect yourself from, exactly?
Me? Other than address translation (a necessary evil) I use packet
filters mostly to restrain crazy programs that open listening sockets
for unknown reasons even though I don't use them for any kind of
communication. There was for example some kind of Gnome daemon that
popped up and started listening on an RTSP port just because I was
playing music from the local disk through the local loudspeakers. Such
behaviour is equally crazy on all networks, so I don't need firewall
zones for that.
Better ask those who think they need "home" and "work" zones what
they're trying to achieve.
>> This difference may be temporary though. Sooner or later ISPs will be
>> forced to start providing IPv6 to customers, and then NAT will no
>> longer function as a firewall.
>
>NAT was never really supposed to be a security feature.
That's not its primary purpose, no, but not having a public IP address
is in practice much like being behind a really zealous firewall that
only allows outgoing connections. People rely on that when they use
naïve protocols at home, for example unencrypted or passwordless file
and printer sharing protocols.
>IPv6 really isn't the problem.
I agree.
>> link-layer encryption like WPA2 won't protect anything anymore
>
>What do you think WPA2 protects against? It has never protected
>against anything but decoding of intercepted packets across the
>wireless link.
As far as I know it's also supposed to prevent active attacks, not just
passive eavesdropping. The underlying assumption is that your local
wired network is protected by a firewall plus physical walls and locked
doors, and that you have something insecure on your network that needs
that protection. Then when you add a wireless link you have to prevent
others from connecting to it and attacking your insecure stuff. That's
what WPA2 is for.
But if your firewall is just a side effect of your NAT, and IPv6 makes
NAT obsolete, then your insecure stuff is no longer protected.
>> ...and then
>> protocols designed for an isolated friendly network will be equally
>> insecure on both wired and wireless networks.
>
>Then you probably shouldn't be using protocols designed for an
>isolated friendly network. If you do then you probably deserve what
>happens to you as there is rarely such a thing as an "isolated
>friendly network".
And I don't use those protocols, but other people apparently do. Why
else would there be a need for WPA2 or firewall zones?
--
Björn Persson
Sent from my computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130928/3dd120b8/attachment.sig>
More information about the devel
mailing list