On Tue, May 21, 2002 at 08:23:11AM -0700, Jeff Bailey wrote: > > >So, here am I, seriously considering firewalling tools less than > > >essential. > > Great, another compelling reason to ditch firewalling support. > Not at all, but someone who thinks that firewalling provides any > reasonable measure of security hasn't been paying attention - > corporate firewalls are breached on a regular basis. So, your thesis is that because some firewalls are insecure, all firewalling is a waste of time? Let's try the Socratic method. Do you believe that firewalls can ever be helpful? Do you believe that blocking ports can ever be helpful? Do you believe the Hurd should be useful as a server? Do you believe that people use a single machine as a gateway and a server? Do you believe that -- even if the server can't do routing -- it can still act as a gateway by running, eg, a squid proxy and having two interfaces, one for a LAN and one for the Internet? Do you believe that it might be useful to use iptables to stop people from the Internet trying to access the proxy, whether to try a new security hole, or just to see what they can do? Do you believe that dedicated firewalls can break or be misconfigured? Do you believe that a server on a firewalled LAN (with public IP addresses) that shouldn't be able to be reached by the Internet, could be in such a case? Do you believe all software -- even site-written software -- that can run on the Hurd has its own access control, and that, in every case that access control is fine-grained and flawlessly written? Do you believe that there is any value in having a server that shouldn't be reachable from the Internet, running services whose access control software you don't trust to protect you, could usefully be protected (or further protected) by blocking all access from outside your LAN on the box you're using? Do you believe that application-level access control is perfect in all cases? Do you believe that application-level access control is generally higher quality code than the Hurd implementation? Do you believe there are any cases when firewalling in the Hurd would be more reliable than application-level access control? Would you go "what the f$#k is going here?" if you bought a commercial Unix that didn't have any firewalling tools? Some other questions, for those of you who think Hurd might even compete with Linux, let alone be preferred to it within the next decade: Have you ever found the ability to do routing on a machine that you'd usually think of as a desktop useful? Do you really think anyone, given the choice between two systems with mostly the same software, would choose the one that can only be a leaf-node, rather than the one that can be either, depending on your needs at the time? Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``BAM! Science triumphs again!'' -- http://www.angryflower.com/vegeta.gif
Attachment:
pgpQKBhWeNh4H.pgp
Description: PGP signature