Re: hurd does NOT need /hurd

To: "John H. Robinson, IV" <jhriv@ucsd.edu>
Cc: Jeroen Dekkers <jeroen@dekkers.cx>, debian-devel@lists.debian.org, debian-hurd@lists.debian.org
Subject: Re: hurd does NOT need /hurd
From: nisse@lysator.liu.se (Niels Möller)
Date: 21 May 2002 13:44:25 +0200
Message-id: <[🔎] nnn0utiv3a.fsf@fafner.lysator.liu.se>
In-reply-to: <[🔎] 20020520180124.GB11058@ucsd.edu>
References: <[🔎] Pine.LNX.4.33.0205192031530.9857-100000@yakko.doogie.org> <[🔎] 87it5ja8bt.fsf@becket.becket.net> <[🔎] 20020520051008.GB16576@azure.humbug.org.au> <[🔎] 20020520141603.GB1505@celeron.dekkers> <[🔎] 20020520145256.GF29854@212.23.136.22> <[🔎] 20020520151349.GB25130@azure.humbug.org.au> <[🔎] 20020520173448.GI1505@celeron.dekkers> <[🔎] 20020520180124.GB11058@ucsd.edu>

"John H. Robinson, IV" <jhriv@ucsd.edu> writes:

> Debian (using a linux, bsd, or gnumach/l4 (micro)kernel) should be
> ``Secure by default.'' if this means that no firewalling -> no debian
> release, then so be it.

Strictly speaking FW-ing increases security somewhat only if you are
running vulnerable services on the machine(s) behind the firewall. So
ok, it may be a good thing to have given that it's hard to know for
sure that a particular service is not vulnerable.

But a different, safer and more robust way to be "secure by default"
is to simply not enable the network services in the first place.

For instance, I'm a little annoyed that the X-server I'm running is
listening for connections on all interfaces. Perhaps I can work-around
that by figuring out how linux fw-ing works this month, but I'd much
prefer if my X-server listened *only* on it's AF_LOCAL socket, (and
perhaps also on the localhost AF_INET interface (with forwarding
disabled), if that's absolutely necessary to get X libraries and
clients to work).

There's no way I want to allow X connections from other machines, so
the X server *should not* ask for that. Firewalling the X server is a
kludge, nothing more.

I see little use for firewalling, except to help isolate broken or
unmaintained machines from the outside world. And in this case, the FW
is usually a separate box.

Regards,
/Niels

-- 
To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- <joke/>Debian secure by default (was Re: hurd does NOT need /hurd)
  - From: "Manuel A." Fernández Montecelo <manuel@sindominio.net>

References:
- Re: hurd does NOT need /hurd
  - From: Adam Heath <doogie@debian.org>
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: "John H. Robinson, IV" <jhriv@ucsd.edu>

Prev by Date: Re: hurd does NOT need /hurd
Next by Date: Re: hurd does NOT need /hurd
Previous by thread: Re: hurd does NOT need /hurd
Next by thread: <joke/>Debian secure by default (was Re: hurd does NOT need /hurd)
Index(es):
- Date
- Thread