On Ter, 2002-05-21 at 13:44, Niels Möller wrote:
> "John H. Robinson, IV" <jhriv@ucsd.edu> writes:
>
> > Debian (using a linux, bsd, or gnumach/l4 (micro)kernel) should be
> > ``Secure by default.'' if this means that no firewalling -> no debian
> > release, then so be it.
>
> Strictly speaking FW-ing increases security somewhat only if you are
> running vulnerable services on the machine(s) behind the firewall. So
> ok, it may be a good thing to have given that it's hard to know for
> sure that a particular service is not vulnerable.
>
> But a different, safer and more robust way to be "secure by default"
> is to simply not enable the network services in the first place.
i agree :)
> For instance, I'm a little annoyed that the X-server I'm running is
> listening for connections on all interfaces. Perhaps I can work-around
> that by figuring out how linux fw-ing works this month, but I'd much
> prefer if my X-server listened *only* on it's AF_LOCAL socket, (and
> perhaps also on the localhost AF_INET interface (with forwarding
> disabled), if that's absolutely necessary to get X libraries and
> clients to work).
try "-nolisten TCP" in the script launching X server ;)
btw.. i disagree that Debian is "secure by default", when every time you
install a server you get it running inmediatly and the default configure
options are so "confident" with the outside world.
for example, some time ago i wonder why a server called "openslpd" or so
was running on my system.. it seems that upgrading CUPS was installed
and launched automagically. surely, it was my fault for not paying much
attention, but..
the same for the X server listening AF_INET.
> There's no way I want to allow X connections from other machines, so
> the X server *should not* ask for that. Firewalling the X server is a
> kludge, nothing more.
>
> I see little use for firewalling, except to help isolate broken or
> unmaintained machines from the outside world. And in this case, the FW
> is usually a separate box.
of course.
some time ago i used to have firewalls, until i realized that not
listening AF_INET at all is a more sensible approach.
and i have postfix, X, esd.. and sometimes apache, CUPS and similar
running. no need for firewall at all!
> Regards,
> /Niels
in addition to this, i wonder that so many people try to say Hurd folks
what directories Hurd must have, or that Hurd needs fw tools.. when they
have no idea about Hurd and the new concepts it brings to the OS scene.
i don't understand why AJ (release manager?) is worried about the FW
tools of the Hurd and states that it can't be released yet. i think that
each Debian "OS flavour" (*bsd, linux, hurd) must be treated
separatedly; and if not, the release manager must be concerned about all
three flavours' issues. i think that's not the case.
and must be treated separatedly, begginig for the name. "hurd-i386" is
not a sub-arch of linux. what about "netbsd-{64 archs}"? many internal
Debian procedures have to be change, in order to manage the new
flavours...
aburinho!!
________________________________________________________________________
Manuel A. Fernández Montecelo <manuel@sindominio.net>
GnuPG pubkey: [http://sindominio.net/~manuel/gpg-pubkey.txt]
Attachment:
signature.asc
Description: This is a digitally signed message part