Re: Gnome security

[Paul Warren <pdw ferret lmh ox ac uk>]

On Tue, 8 Feb 2000, Rusty Conover wrote:

> > > I also feel nervous about the listening on >1024 ports by default. I'm
> > > glad I'm not the only one. Actually, I think it's insanity, considering
> > > there _have_ been holes in the generic ORBit code.
> 
> Have you guys ever heard of ipchains/ip firewalling?  Its quite easy to 
> setup and configure if you only want it to listen to loopback 
> connections on those ports.  This might be like taking jackhammer to a 
> penny nail but it will get the job done.


Yes, but not everyone has the time, inclination or ability to figure out
(a) how to setup firewalling or (b) figure which ports Gnome will open up,
and thus which need closing down.

The average user who is not particularly interested in spending vast
amounts of time configuring firewalls, is unlikely to be making use of the
functionality that having these ports open provides.  Likewise, any one
clued enough to want to use the network ability should be clued enough to
open up the ports and suss out a firewall.

Far better, IMHO, to close these ports by default, and then have people
open up the holes themselves if they want to.

Distributing something in an insecure-by-default form risks the reputation
of Gnome, and the O/Ss it runs on as secure platforms.

Paul

> The Firewalling HOWTO is here:
> 
> http://www.ldp.mpoli.fi/HOWTO/IPCHAINS-HOWTO.html (along with other 
> mirrors of the HOWTOs)
> 
> Cheers,
> 
> Rusty
> --
> Rusty Conover        | rusty@zootweb.com 
> Systems Programmer   | 406-586-5050 x242
> Zoot Enterprises     | http://www.zootweb.com  
> 
> 
> -- 
>         FAQ: Frequently-Asked Questions at http://www.gnome.org/gnomefaq
>          To unsubscribe: mail gnome-list-request@gnome.org with 
>                        "unsubscribe" as the Subject.
>