Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 03:33:23AM +0200, Eloi Granado wrote:
> On Thursday 19 April 2001 01:57, Nathan Dabney wrote:
> > For those of you who do not like PARANOID, what would you suggest without
> > reducing the protection? Does ALL: ALL with some commentary explaining
> > where the user can go for more information sound good?
> Well, and some blinking message lines at boot time warning the new user that
> his machine is blocking all possible networking, absolutely ISOLATED? What
You seem to think that:
a. Anyone installing Debian wants people to connect to their "server".
b. Pure desktop users who want email, netscape and word perfect don't exist.
c. Isolation is a bad thing in some way.
In my experience, security is first and functionality is second. You try and
balance, you don't give up #1 just in case someone should perhaps want #2 in
a certain way.
> about to remove all networking support by default? So the user will have to
> learn ALL networking risks before connecting/accepting connections from
> anywhere (oh yes, he will learn a lot in the way).
This makes as much sense as saying Debian servers first ship with the power off
and are hence unhackable until the User does something.
> What about to ask it at installation time? Wouldn't it be as secure as today
> and user friendly at the same time?
Bingo. Install questions that are non-technical for the easy install is
exactly what we need.
> Be serious, what type of system do we want? One both for users and for
> servers, or a openbsd alike firewalling (user unfriendly) system?
There is the miscommunication, I don't want to mandate either for the user. I
want the user to be able to choose how their system will be.