Re: Release update

[Thiemo Seufer <ica2_ts@csv.ica.uni-stuttgart.de>]

Steve Kemp wrote:
> On Mon, Mar 29, 2004 at 08:26:06PM +0200, Thiemo Seufer wrote:
> 
> > >   Having iptables or ipchains installed as part of the base install
> > >  would be good - but I'm suggesting that we have some default rules,
> > >  such as accepting only local connections to all services.
> > 
> > Which would AFAIK immediately kill the s390 installer, which runs over
> > ssh. I have yet to see a rule set which works decently everywhere.
> 
>   Sure, some people are going to have different needs, but I think
>  that disabling incoming connections unless explicitly enabled would
>  be a proactive step for the distribution.

I disagree. If you don't want to use a network service, then don't
install it in the first place, or bind it to a local port.

>   If there is one arch which wouldn't allow this then fair enough 
>  disable it for that one, I don't think that is a sufficiently good
>  argument for disabling it for all though.

It was just an example. The same goes for every remote box which is
updated via network.


Thiemo