Re: make gnome listen on localhost:*
- From: Paul Warren <pdw ferret lmh ox ac uk>
- To: Elliot Lee <sopwith redhat com>
- Cc: gnome-list gnome org
- Subject: Re: make gnome listen on localhost:*
- Date: Thu, 15 Jun 2000 12:43:50 +0100 (BST)
On Wed, 14 Jun 2000, Elliot Lee wrote:
> On Thu, 15 Jun 2000, Paul Warren wrote:
>
> > > The reason I hate the suggested type of solution is because it is a hack
> > > that only works for a very special set of apps,
> >
> > You mean apps run locally? That's not a particularly special set for you
> > average one-box desktop user.
>
> No, I mean "apps that use ORBit" as a special set.
>
> People are suggesting turning off TCP/IP for apps-that-use-ORBit, and then
> they'll submit patches to turn off networking for apps-that-use-foobar,
> and then yet another set will come along, and your previous solutions
> won't cover that.
I would expect all values the "foobars" to come with no listening services
by default, and a simple mechanism to turn them on. By default, a
computer should not be offering services by Corba to the world at large
whether I have a firewall or not.
I find this "we don't have to worry about security because everyone will
be running a firewall" deeply worrying, and so do several other people on
this list, it would appear.
> > > A proper firewall setup will catch everything,
> >
> > Where do you propose putting this firewall? On the box running Gnome
> > (this is where Joe Average with his one box will have to put it)? If so,
> > then what's the point of having the port open in the first place?
>
> The point is how the access control is implemented, and having one
> solution that covers a wide variety of security problems is a lot more
> effective than a bunch of band-aid solutions.
Turning on network listening is a pretty basic piece of functionality -
hardly a "band-aid" solution.
> > BTW, if you are suggesting that we should all be running firewalls
> > that prohibit listening on high numbered ports
>
> > then you're going to break passive mode FTP
>
> For the desktop user? Your in-depth knowledge of networking continues to
> amaze me...
YES!! Do you know how passive mode FTP clients work? I'll give you a
clue: it involves setting up listening sockets on the *client* machine to
recieve data transfers.
> > and possibly other stuff, and the average desktop user will fix this
> > by... turning off the firewall.
>
> This is only because the existing firewall setups are primitive and
> limited, which are things that a proper solution would fix.
Firewalls are, by their nature, very low level. They do not care about
what the packets are being used for. It would be impossible to use a
firewall to allow passive mode FTP clients, but disallow ORBit/other
services that you can't be bothered to turn off by default connections.
> > > Is anyone interesting in coming up with "the proper solution" that sets
> > > a safe default config and makes it easy to make changes? I might be
> > > interested in helping with such a thing.
> >
> > You mean an option for the control-center to turn on the network
> > functionality for ORBit, right?
>
> I'm thinking more like an option to add you to procmail filtering, at this
> point... :)
That'll really help, won't it?
Paul
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]