Re: Release update
Steve Kemp wrote:
> On Mon, Mar 29, 2004 at 09:24:16PM +0200, Thiemo Seufer wrote:
>
> > I disagree. If you don't want to use a network service, then don't
> > install it in the first place, or bind it to a local port.
>
> This is one approach.
>
> However it fails when installing a new system. By default when
> installing Woody right now many things are listening globally.
> Exim, portmap, echo etc from inetd.
If those are opening ports by default, file bugs against them.
> Other things must be explicitly installed such as openssh, apache,
> but the user gets no choice about these base packages. Sure they
> could be disabled by a clueful person. But I think the overhead
> of "would you like this machine to run a firewall [yes/no]" to
> be minimal.
It's not about the overhead, it's about the potential breakage,
e.g. for automated noninteractive installs.
> > It was just an example. The same goes for every remote box which is
> > updated via network.
>
> I'm not talking about *updating* an existing system, I'm talking
> about installing a new system.
Adding some firewall to the base affects both.
> However I guess you could mean updating Woody -> Sarge. In this
> case I would suggest a firewall ruleset which said something like
>
> * Drop all incoming connections.
> * Permit connections which are established.
>
> At the point the firewall was brought up the remote session doing
> the update would be established, so there would be no issue.
It occurs to me you never did system management over flaky connections.
Thiemo
Reply to: