[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release update

On Mon, Mar 29, 2004 at 09:24:16PM +0200, Thiemo Seufer wrote:

> I disagree. If you don't want to use a network service, then don't
> install it in the first place, or bind it to a local port.

  This is one approach.

  However it fails when installing a new system.  By default when
 installing Woody right now many things are listening globally.
 Exim, portmap, echo etc from inetd.

  Other things must be explicitly installed such as openssh, apache,
 but the user gets no choice about these base packages.  Sure they
 could be disabled by a clueful person.  But I think the overhead
 of "would you like this machine to run a firewall [yes/no]" to
 be minimal.

> It was just an example. The same goes for every remote box which is
> updated via network.

  I'm not talking about *updating* an existing system, I'm talking
 about installing a new system.

  However I guess you could mean updating Woody -> Sarge.  In this
 case I would suggest a firewall ruleset which said something like

    * Drop all incoming connections.
    * Permit connections which are established.

  At the point the firewall was brought up the remote session doing
 the update would be established, so there would be no issue.


Reply to: