Re: hurd does NOT need /hurd

To: debian-devel@lists.debian.org
Subject: Re: hurd does NOT need /hurd
From: Tore Anderson <tore@linpro.no>
Date: Mon, 20 May 2002 22:02:06 +0200
Message-id: <[🔎] 20020520220206.B7742@nfsd.linpro.no>
In-reply-to: <[🔎] 20020520154816.Z5840@justice.loyola.edu>
References: <[🔎] 87it5ja8bt.fsf@becket.becket.net> <[🔎] 20020520051008.GB16576@azure.humbug.org.au> <[🔎] 20020520141603.GB1505@celeron.dekkers> <[🔎] 20020520145256.GF29854@212.23.136.22> <[🔎] 20020520151349.GB25130@azure.humbug.org.au> <[🔎] 20020520173448.GI1505@celeron.dekkers> <[🔎] 20020520180124.GB11058@ucsd.edu> <[🔎] 87u1p21vkq.fsf@becket.becket.net> <[🔎] 20020520132531.B22215@lightbearer.com> <[🔎] 20020520154816.Z5840@justice.loyola.edu>

On Mon, May 20, 2002 at 03:48:16PM -0400, Michael Stone wrote:

> On Mon, May 20, 2002 at 01:25:31PM -0600, Joel Baker wrote:
>
> > Rule #1: attackers cannot attack what they cannot reach. Firewalls are not
> > perfect; they can be misconfigured, disabled, and in some cases (which do
> > apply to Debian), machine-based firewalls can have bugs in the firewalling
> > code which expose parts of the machine despite the firewall, or machines
> > behind the firewall. But I'll take a 99% reduction in attack vectors any
> > day of the week, thanks.
> 
> For a host based firewall, the firewall is certainly less effective than
> simply not listening on any ports.  You're right--attackers can't attack
> what they cannot reach (in this case, what you're not running.)

However, a firewall can help in this scenario as well. I've seen people
who have gained access to the user Apache runs as due to web applications
poorly designed. Most of then tried to spawn a shell which listened on
some random port (using netcat). Filtering closed ports will definetively
help in such cases.

(Michael: please forgive me for replying directly to you first, I hit the
wrong button, sorry.)

-- 
Tore Anderson


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: "John H. Robinson, IV" <jhriv@ucsd.edu>
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)
- Re: hurd does NOT need /hurd
  - From: "Joel Baker" <lucifer@lightbearer.com>
- Re: hurd does NOT need /hurd
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: hurd does NOT need /hurd
Next by Date: Firewalling (was: hurd does NOT need /hurd)
Previous by thread: Re: hurd does NOT need /hurd
Next by thread: Firewalling (was: hurd does NOT need /hurd)
Index(es):
- Date
- Thread