Re: The state of firewall management...



Graham Lyon a écrit :
> I'll agree that if your system doesn't have ports open by default then
> you're fine, but if for instance your package manager pulls in mysql or
> postfix or similar as a dependency for some package that doesn't really need
> it to use its network capabilities

Such a situation would be a default misconfiguration problem, and a
very bad one since it directly affects security. I assume no package
manager installs and starts MySQL behind the user's back, at least
not listening to the outside world with the default password!

> then having the ability to turn on a firewall in public wifi
> networks for instance that blocks all traffic to those services
> would be a bonus, in my opinion.

IMHO firewalling is a complicated and error-prone workaround, not the
real fix to the misconfiguration problem above. Which Windows end user
understands anything to its firewall configuration?




> Why should I have to edit the httpd config?

Just because it is simpler and less error-prone than configuring a
firewall. It is simpler and safer to close the security hole
you created in the first place rather than from somewhere else.

For instance without a firewall you can list all your security holes with
just a simple "netstat -l"; no added confusion.

If you need run an insecure apache instance on a regular basis,
then I think you should always watch it very closely, not from the
distance of a firewall.


> Also, that was a single use case - I can think of many more.

... but thank God they do not affect the average end user.


> A firewall isn't only about prevention access to network listening
> daemons, it's about granularity in that restriction :)

Sure. But please leave this complex granularity only to the network
administrators who actually need it.

The average end user has only a few network listening daemons, most of
them bound to the loopback address, while the tiny rest is shut down
when he is connects outside of home.

Out of these two questions which is the more intuitive:

You are about to connect to an untrusted network, do you want to:
- disable file sharing?
- reconfigure your firewall?





Cheers,

Marc



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]