Re: firewall

To: debian-user@lists.debian.org
Subject: Re: firewall
From: Brad Alexander <storm16@gmail.com>
Date: Wed, 4 Jul 2012 21:45:25 -0400
Message-id: <[🔎] CAKmZw+Ya3PfoN4RoBbX2JGtDzgM52-_JKtNGAqzr6LOWCAFeAg@mail.gmail.com>
In-reply-to: <[🔎] 20120704220425.GB28931@desktop>
References: <[🔎] CAG9cJm=YgTrfu7ayQFQH-7--iVUiMdEHE1sKYj7Ds7+k8_ZRhg@mail.gmail.com> <[🔎] 1341382519.2110.17.camel@precise> <[🔎] CAKmZw+Y+HV9dq2+v_d4PsYRN9fLa+JHt_Yu6P-oEMAaZOX7c5w@mail.gmail.com> <[🔎] 20120704220425.GB28931@desktop>

On Wed, Jul 4, 2012 at 6:04 PM, Brian <ad44@cityscape.co.uk> wrote:

> A commonly used phrase - military in origin, I imagine. One day I must
> investigate how a firewall can protect my mail server. Until then I will
> just continue to accept connections from anywhere.

I will give you an example of this. Your mailserver runs, say,
roundcube or some other webmail. You want port 80 (or 443) available
on your local LAN, but not to the internet. A perimeter firewall could
block access from outside your perimeter. Just as an example. Or for
that matter, you could insert imap/imaps, pop3/pop3s, etc.

>> get a piece of bad software that opens a vulnerability? And yes, that
>
> I'd rather you were specific here about the sort of vulnerability in the
> service you are thinking about but, talking in general and using Debian,
> the fix would become available, you would download it and move on. No
> problem, no fuss, no firewall needed.

Using the above example, suppose your mail server had to run sendmail
(I know, a stretch nowadays, but in the not-to-distant past, a
distinct possibility). Sendmail had a tradition of having more holes
than Swiss cheese, and vulnerabilities were fixed almost weekly. When
a new version was uploaded to the repos, I guarantee not all of the
holes had been fixed.

This is the concept of the 0day vulnerability. An unknown, unpublished
vulnerability. A firewall *might* help blunt a possible attack or
block an attack vector.

But it is a game of chances. As I have told people before, "Security
times usability is a constant: The only secure system is one that
is unplugged from the network, powered off, packed in concrete, and
fired into the sun...But at that point, it isn't very usable, is it?"

--b

> [Snip]
>
>> So a piece of bad software gets introduced into the repos. It could
>> happen...And having a firewall in place (an external firewall would
>> have the advantage of not being able to be turned off by said
>> malware).
>
> A firewall will not give protection from a software defect in a running
> service. Not unless you lock the service down so much it becomes
> useless.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20120704220425.GB28931@desktop">http://lists.debian.org/[🔎] 20120704220425.GB28931@desktop
>

Reply to:

References:
- firewall
  - From: lina <lina.lastname@gmail.com>
- Re: firewall
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: firewall
  - From: Brad Alexander <storm16@gmail.com>
- Re: firewall
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Small xorg?
Next by Date: Alternative(s) to VirtualBox
Previous by thread: Re: firewall
Next by thread: Re: firewall
Index(es):
- Date
- Thread