[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hurd does NOT need /hurd

"John H. Robinson, IV" <jhriv@ucsd.edu> writes:

> Debian (using a linux, bsd, or gnumach/l4 (micro)kernel) should be
> ``Secure by default.'' if this means that no firewalling -> no debian
> release, then so be it.

Strictly speaking FW-ing increases security somewhat only if you are
running vulnerable services on the machine(s) behind the firewall. So
ok, it may be a good thing to have given that it's hard to know for
sure that a particular service is not vulnerable.

But a different, safer and more robust way to be "secure by default"
is to simply not enable the network services in the first place.

For instance, I'm a little annoyed that the X-server I'm running is
listening for connections on all interfaces. Perhaps I can work-around
that by figuring out how linux fw-ing works this month, but I'd much
prefer if my X-server listened *only* on it's AF_LOCAL socket, (and
perhaps also on the localhost AF_INET interface (with forwarding
disabled), if that's absolutely necessary to get X libraries and
clients to work).

There's no way I want to allow X connections from other machines, so
the X server *should not* ask for that. Firewalling the X server is a
kludge, nothing more.

I see little use for firewalling, except to help isolate broken or
unmaintained machines from the outside world. And in this case, the FW
is usually a separate box.


To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: