About F19 Firewall

Eric H. Christensen sparks at fedoraproject.org
Sun Sep 29 01:25:18 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sat, Sep 28, 2013 at 01:34:48PM +0200, Björn Persson wrote:
> Eric H. Christensen wrote:
> >> link-layer encryption like WPA2 won't protect anything anymore
> >
> >What do you think WPA2 protects against?  It has never protected
> >against anything but decoding of intercepted packets across the
> >wireless link.
> 
> As far as I know it's also supposed to prevent active attacks, not just
> passive eavesdropping. The underlying assumption is that your local
> wired network is protected by a firewall plus physical walls and locked
> doors, and that you have something insecure on your network that needs
> that protection. Then when you add a wireless link you have to prevent
> others from connecting to it and attacking your insecure stuff. That's
> what WPA2 is for.

WiFi encryption only helps you against local attacks not anything on the Internet.  Depending on your level of security of your networked devices it may or may not make any difference whether you are using encryption on the WiFi network itself (i.e. if you are sharing files across your network via SCP then no one listening in will be able to make heads or tails of the data anyway).  And then there is the layer of authentication...

If you are using insecure stuff then I'd probably have to tell you to stop that or otherwise block incoming requests at the gateway.  It's really not that hard.
> 
> But if your firewall is just a side effect of your NAT, and IPv6 makes
> NAT obsolete, then your insecure stuff is no longer protected.

I used to work for a place where everything had a public IP address on it.  Don't want people coming to those machines from the Internet?  Don't let them in at the gateway.  This really isn't anything new.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project

sparks at fedoraproject.org - sparks at redhat.com
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQGcBAEBCgAGBQJSR4F7AAoJEB/kgVGp2CYvSX0L/RytQ5JrEPJXBD4t9YF63y+k
QnFlaZ2dJ0l4ViVqoKpYj2Am9qK/F91ai9umGFYESzL8ipFL3M4fjBVjZJNZWojg
AXrBkpZPPlWybzj7V1gaDXEZf4or1bergh3n80v+j5Iiu5arp+SUvXRwnuBSnTfl
Rfb5Ej8df7LXD+9VaroG+E/cJGICWYLyc0NPIc/Q1wMc15D7XViE+G/TL5VHr5JK
9Rv640phgknSNp6Rx5E4nOBVkhON+VpmMytme+23sZla6WXpjK1u8Mg8iH2XuCti
RHg5zB/PFwQaaxABY+/1WrZqd2Faox3VmCH+Zm19PsmLNdZh9otU+5JtiI1z4jhz
JhI4NcqRYl0yqUC89k6vgcw42dGCfWSoAjjKPm9IpsnyXI+cFu5XTUWtIKyK3raZ
FOnfUbNA1wYGwcPcPlcVOsXSU1z8NXd97diAjkhFpcsxM+ImPJrFeb3/RM1DioKV
fIUls9VmrFzUAqUaDe7VZFveeWVT8D43C0nObLvFDg==
=HQhA
-----END PGP SIGNATURE-----


More information about the devel mailing list