firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Miloslav Trmač
mitr at volny.cz
Tue Mar 4 13:07:00 UTC 2014
2014-03-04 13:51 GMT+01:00 Reindl Harald <h.reindl at thelounge.net>:
> second:
>
third:
>
(lots snipped).
Those are cases I have also numbered 2) and 3) earlier in the thread :) I
agree that a firewall by default, for all services, makes sense in these
situations.
The email you are quoting is my objections to having the default *differ
between roles*. I think that our cases 2) and 3) either apply across the
whole computer, or not at all; so having the firewall allow access to some
roles by default and not to others doesn't make sense.
fourth:
> "to run arbitrary code really that frequent" define that - any scripting
> language
> with commands like exec(), system() and so on is in danger to run code if
> it is
> not perfectly secured what a default installation is unable to do
>
I think that's addressed by my case 4): a firewall that only blocks
incoming connections is not all that useful in this situation.
and so finally: now, in the past and in any future you have to block any
> incoming
> connection in whatever operating system by default or nobody with security
> knowledge
> will install that "product" because he is aware about the wrong security
> attitude
> of it's creators and that it is not worth the time for a second look
>
I'm not at all insisting on having no firewall by default, but my interest
in appeasing cargo-culting requests like "you must run a firewall and
antivirus and antispyware" is really limited. Not exactly zero, but fairly
close to zero. *Why* do we need to block incoming connections? If we have
a reason, are we actually deploying the firewall in a way that does handle
that reason?
I see having a firewall running by default, but punching holes in it by
default, without explicit user involvement, as such a case: the underlying
reason to have a firewall seems to be defeated by the way the firewall is
being used.
Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/server/attachments/20140304/bdf99827/attachment.html>
More information about the server
mailing list