[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[RFC] Network Security Policy (was Re: atd...)

On Tue, Sep 26, 2000 at 09:28:17AM +0100, Patrick Lambe wrote:
> That's dangerous ground to get into, there are always holes in *all*
> distributions, regardless of how quickly they're fixed. 

There was talk on this list before about being able to neatly disable
network services.

What would be nice would be The One True Way to know if a service was
meant to be disabled or not.  i.e. when I apt-get install
new_network_daemon I want it to look at /etc/security/network-policy (or
some such) find out that I don't want anything listening until *I* do
something and not start up.

That way I can read /usr/doc/new_network_daemon/* decide how to firewall
it if necessary or how I want to configure it and so on.

It also means that when you only apt-get upgrade infrequently or you go
to a new release that you can be happy in the knowledge that the new
daemon installed in the middle of that big batch of things to configure
isn't actually listening yet.

There used to be an annoying dependency that stopped portmap being
removed at all.  I think this has gone now (*removes portmap*) yep, but
the policy of Debian IMHO wrt open ports/daemons enabled when installed
etc.  leaves something to be desired.


----------(    "Always look on the bright side of life" -    )----------
----------(                   Monty Python                   )----------
Simon ----(                                                  )---- Nomis
                             Htag.pl 0.0.4

Reply to: