On Tue, May 21, 2002 at 08:23:11AM -0700, Jeff Bailey wrote:
> > >So, here am I, seriously considering firewalling tools less than
> > >essential.
> > Great, another compelling reason to ditch firewalling support.
> Not at all, but someone who thinks that firewalling provides any
> reasonable measure of security hasn't been paying attention -
> corporate firewalls are breached on a regular basis.
So, your thesis is that because some firewalls are insecure, all firewalling
is a waste of time?
Let's try the Socratic method.
Do you believe that firewalls can ever be helpful?
Do you believe that blocking ports can ever be helpful?
Do you believe the Hurd should be useful as a server?
Do you believe that people use a single machine as a gateway and a server?
Do you believe that -- even if the server can't do routing -- it can still
act as a gateway by running, eg, a squid proxy and having two interfaces,
one for a LAN and one for the Internet?
Do you believe that it might be useful to use iptables to stop people from
the Internet trying to access the proxy, whether to try a new security hole,
or just to see what they can do?
Do you believe that dedicated firewalls can break or be misconfigured?
Do you believe that a server on a firewalled LAN (with public IP
addresses) that shouldn't be able to be reached by the Internet, could be
in such a case?
Do you believe all software -- even site-written software -- that can
run on the Hurd has its own access control, and that, in every case that
access control is fine-grained and flawlessly written?
Do you believe that there is any value in having a server that shouldn't
be reachable from the Internet, running services whose access control
software you don't trust to protect you, could usefully be protected (or
further protected) by blocking all access from outside your LAN on the
box you're using?
Do you believe that application-level access control is perfect in all cases?
Do you believe that application-level access control is generally higher
quality code than the Hurd implementation?
Do you believe there are any cases when firewalling in the Hurd would
be more reliable than application-level access control?
Would you go "what the f$#k is going here?" if you bought a commercial
Unix that didn't have any firewalling tools?
Some other questions, for those of you who think Hurd might even compete
with Linux, let alone be preferred to it within the next decade:
Have you ever found the ability to do routing on a machine that you'd usually
think of as a desktop useful?
Do you really think anyone, given the choice between two systems with mostly
the same software, would choose the one that can only be a leaf-node, rather
than the one that can be either, depending on your needs at the time?
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``BAM! Science triumphs again!''
-- http://www.angryflower.com/vegeta.gif
Attachment:
pgpQKBhWeNh4H.pgp
Description: PGP signature