[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Firewalling (was: hurd does NOT need /hurd)

On Mon, May 20, 2002 at 03:48:16PM -0400, Michael Stone wrote:
> On Mon, May 20, 2002 at 01:25:31PM -0600, Joel Baker wrote:
> > Rule #1: attackers cannot attack what they cannot reach. Firewalls are not
> > perfect; they can be misconfigured, disabled, and in some cases (which do
> > apply to Debian), machine-based firewalls can have bugs in the firewalling
> > code which expose parts of the machine despite the firewall, or machines
> > behind the firewall. But I'll take a 99% reduction in attack vectors any
> > day of the week, thanks.
> For a host based firewall, the firewall is certainly less effective than
> simply not listening on any ports.  You're right--attackers can't attack
> what they cannot reach (in this case, what you're not running.)

It is, indeed. Host firewalls are for the times when you need the service,
but you don't want to expose that service to the world (even with TCP
Wrappers or the like protecting it).

External firewalls are almost always better, but they also aren't practical
for a lot of folks. Like "most Debian users".

FWIW, RedHat's latest releases ask "Would you like firewalling enabled",
default the question to "yes", and if you say yes, ask a few basic things
about what you want to permit from the outside if the service is installed.

Really, this is probably best addressed in the firewall packages (for the
auto-config), and Policy (for whether firewalling packages should be made
part of the default install).

At least, I can't see any way *other* than Policy for someone to say "we
shouldn't release a Debian arch without firewalling" and have it be more
than just a personal opinion (if, perhaps, one I would often agree with).
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: