Firewalling (was: hurd does NOT need /hurd)

To: debian-devel@lists.debian.org
Subject: Firewalling (was: hurd does NOT need /hurd)
From: "Joel Baker" <lucifer@lightbearer.com>
Date: Mon, 20 May 2002 14:06:47 -0600
Message-id: <[🔎] 20020520140647.A23692@lightbearer.com>
In-reply-to: <[🔎] 20020520154816.Z5840@justice.loyola.edu>; from mstone@debian.org on Mon, May 20, 2002 at 03:48:16PM -0400
References: <[🔎] 87it5ja8bt.fsf@becket.becket.net> <[🔎] 20020520051008.GB16576@azure.humbug.org.au> <[🔎] 20020520141603.GB1505@celeron.dekkers> <[🔎] 20020520145256.GF29854@212.23.136.22> <[🔎] 20020520151349.GB25130@azure.humbug.org.au> <[🔎] 20020520173448.GI1505@celeron.dekkers> <[🔎] 20020520180124.GB11058@ucsd.edu> <[🔎] 87u1p21vkq.fsf@becket.becket.net> <[🔎] 20020520132531.B22215@lightbearer.com> <[🔎] 20020520154816.Z5840@justice.loyola.edu>

On Mon, May 20, 2002 at 03:48:16PM -0400, Michael Stone wrote:
> On Mon, May 20, 2002 at 01:25:31PM -0600, Joel Baker wrote:
> > Rule #1: attackers cannot attack what they cannot reach. Firewalls are not
> > perfect; they can be misconfigured, disabled, and in some cases (which do
> > apply to Debian), machine-based firewalls can have bugs in the firewalling
> > code which expose parts of the machine despite the firewall, or machines
> > behind the firewall. But I'll take a 99% reduction in attack vectors any
> > day of the week, thanks.
> 
> For a host based firewall, the firewall is certainly less effective than
> simply not listening on any ports.  You're right--attackers can't attack
> what they cannot reach (in this case, what you're not running.)

It is, indeed. Host firewalls are for the times when you need the service,
but you don't want to expose that service to the world (even with TCP
Wrappers or the like protecting it).

External firewalls are almost always better, but they also aren't practical
for a lot of folks. Like "most Debian users".

FWIW, RedHat's latest releases ask "Would you like firewalling enabled",
default the question to "yes", and if you say yes, ask a few basic things
about what you want to permit from the outside if the service is installed.

Really, this is probably best addressed in the firewall packages (for the
auto-config), and Policy (for whether firewalling packages should be made
part of the default install).

At least, I can't see any way *other* than Policy for someone to say "we
shouldn't release a Debian arch without firewalling" and have it be more
than just a personal opinion (if, perhaps, one I would often agree with).
-- 
***************************************************************************
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Firewalling (was: hurd does NOT need /hurd)
  - From: Tollef Fog Heen <tollef@add.no>

References:
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: "John H. Robinson, IV" <jhriv@ucsd.edu>
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)
- Re: hurd does NOT need /hurd
  - From: "Joel Baker" <lucifer@lightbearer.com>
- Re: hurd does NOT need /hurd
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: hurd does NOT need /hurd
Next by Date: Re: hurd does NOT need /hurd
Previous by thread: Re: hurd does NOT need /hurd
Next by thread: Re: Firewalling (was: hurd does NOT need /hurd)
Index(es):
- Date
- Thread