Re: Release update
On Mon, Mar 29, 2004 at 09:24:16PM +0200, Thiemo Seufer wrote:
> I disagree. If you don't want to use a network service, then don't
> install it in the first place, or bind it to a local port.
This is one approach.
However it fails when installing a new system. By default when
installing Woody right now many things are listening globally.
Exim, portmap, echo etc from inetd.
Other things must be explicitly installed such as openssh, apache,
but the user gets no choice about these base packages. Sure they
could be disabled by a clueful person. But I think the overhead
of "would you like this machine to run a firewall [yes/no]" to
be minimal.
> It was just an example. The same goes for every remote box which is
> updated via network.
I'm not talking about *updating* an existing system, I'm talking
about installing a new system.
However I guess you could mean updating Woody -> Sarge. In this
case I would suggest a firewall ruleset which said something like
* Drop all incoming connections.
* Permit connections which are established.
At the point the firewall was brought up the remote session doing
the update would be established, so there would be no issue.
Steve
--
Reply to: