About F19 Firewall

Eric H. Christensen sparks at fedoraproject.org
Sun Sep 29 01:25:18 UTC 2013

Hash: SHA512

On Sat, Sep 28, 2013 at 01:34:48PM +0200, Björn Persson wrote:
> Eric H. Christensen wrote:
> >> link-layer encryption like WPA2 won't protect anything anymore
> >
> >What do you think WPA2 protects against?  It has never protected
> >against anything but decoding of intercepted packets across the
> >wireless link.
> As far as I know it's also supposed to prevent active attacks, not just
> passive eavesdropping. The underlying assumption is that your local
> wired network is protected by a firewall plus physical walls and locked
> doors, and that you have something insecure on your network that needs
> that protection. Then when you add a wireless link you have to prevent
> others from connecting to it and attacking your insecure stuff. That's
> what WPA2 is for.

WiFi encryption only helps you against local attacks not anything on the Internet.  Depending on your level of security of your networked devices it may or may not make any difference whether you are using encryption on the WiFi network itself (i.e. if you are sharing files across your network via SCP then no one listening in will be able to make heads or tails of the data anyway).  And then there is the layer of authentication...

If you are using insecure stuff then I'd probably have to tell you to stop that or otherwise block incoming requests at the gateway.  It's really not that hard.
> But if your firewall is just a side effect of your NAT, and IPv6 makes
> NAT obsolete, then your insecure stuff is no longer protected.

I used to work for a place where everything had a public IP address on it.  Don't want people coming to those machines from the Internet?  Don't let them in at the gateway.  This really isn't anything new.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project

sparks at fedoraproject.org - sparks at redhat.com
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
Version: GnuPG v1.4.14 (GNU/Linux)


More information about the devel mailing list