Sthu Deus wrote: > Thank You for Your time and answer, Bob. Beside other things You wrote: > > > Plus most people install on a private network behind a firewall from > > the Internet. This protects them from network attacks from the > > Internet. As long as your local private network is not compromised > > Can You explain, What a great idea behind firewall absence for the > limited install environment - accepting only related packages to the > host (the ones the host asked for)? I am sorry but I am unable to understand what you are asking. Let me say a few more words and perhaps be lucky to answer your question anyway. The installer system is a very small system. It uses a kernel to provide for its own use. It starts up a network for use by the installer. Nothing else uses the network. No ports are opened for listening. No ports are available for connecting. If you scan the system you will find that all ports are closed. Because there are no ports open and no programs are running there isn't a need for a firewall running on the installer kernel. All connections will be closed even without a local firewall layer in place. Therefore it is unneeded. Since the system is very small it is easy to audit it and verify that nothing has changed that would open up a port. The only external remotely accessible service available in the installer kernel are ICMP services such as ping. AFAIK. You can ping the system. Ping is a very useful diagnostic tool and is not disabled. The network code responding to ping is in the kernel. In times past there have been denial of service exploits by sending crafted ping packets that exploited a vulnerability. Years ago it was possible to crash a system remotely by sending a specially crafted ping-of-death packet. The previous exploits were denial of service attacks by crashing the kernel. But if the installer crashed you would know it. You would be unable to complete the installation and would not have a security vulnerability later. Those old vulnerabilities have since been fixed and are no longer a problem. But that is the type of attack that we still need to worry about on the system when installing because the kernel used is the one included with the installer image and it should be new enough to avoid any known problems. Installing on a private network behind a firewall is a very good idea. I dare to say that most users operate from a private network these days. In the old days most universities and corporations had public IPv4 space. But IPv4 space is used up now and in short supply. These days most networks operate behind a NAT (network address translation) box that connects them to the larger Internet that uses one address externally but different addresses internally. To be clear, boxes such as a Linksys WRT54GL and similar from Netgear, D-Link, others. Boxes that connect to a cable modem or DSL and then provide a private RFC1918 network space in the 10.* or 192.168.* network behind them. Those boxes provide a firewall preventing incoming connections from the hostile Internet. Those firewall-router boxes prevent incoming ping and other packets from connecting to devices on the local private network. The NAT firewall-router box protects the local private network from external attack. Installing a system on such a private network is a good idea because in that case even if the installer's kernel were vulnerable to a remote network exploit then that exploit could not be exploited because the firewall between the local private network and the hostile Internet would prevent the attack vector. The installer would run and install to completion. The installer will install the latest security upgrades available onto the target system. The installer will reboot into the target system. After the reboot the installed system will be running the latest available kernel. There won't have been a way for a remote attacker to crack into the system. In a local private network the only place a network attack could come from would be from the local private network. In other words, the attacker would need to be someone very close to you, on your same network, and not someone across the world on the Internet. If this is your home router then they would need to be on your home network. If you are in a coffee shop or airport or other public network space then they would need to be in that same network space with you. Installing from a coffee shop shared open network will be open to attacks from other people on the same coffee shop network. A coffee shop or airport network could be much bigger than you know and there may be a lot of people using it that you don't know. Better to install from your own home network behind your own home NAT firewall-router box so that you know it doesn't have hostile people also on it. Hope that helps, Bob
Attachment:
signature.asc
Description: Digital signature