FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 06-23-2008, 04:17 PM
Bruno Wolff III
 
Default Firewall and user services that needs open ports

On Sun, Jun 22, 2008 at 16:53:10 -0400,
Chuck Anderson <cra@WPI.EDU> wrote:
>
> Why do we need a firewall when you can easily prevent services from
> being accessed...just stop the service! Don't bind to the port, and
> it won't be possible to connect to it.

Because there are network services that you only want accessible locally.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 04:58 PM
Chuck Anderson
 
Default Firewall and user services that needs open ports

On Mon, Jun 23, 2008 at 11:17:25AM -0500, Bruno Wolff III wrote:
> On Sun, Jun 22, 2008 at 16:53:10 -0400,
> Chuck Anderson <cra@WPI.EDU> wrote:
> >
> > Why do we need a firewall when you can easily prevent services from
> > being accessed...just stop the service! Don't bind to the port, and
> > it won't be possible to connect to it.
>
> Because there are network services that you only want accessible locally.

Right, but the default firewall rules don't do that. By default maybe
the firewall should be off.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 05:48 PM
Andrew Farris
 
Default Firewall and user services that needs open ports

Chuck Anderson wrote:

On Mon, Jun 23, 2008 at 11:17:25AM -0500, Bruno Wolff III wrote:

On Sun, Jun 22, 2008 at 16:53:10 -0400,
Chuck Anderson <cra@WPI.EDU> wrote:
Why do we need a firewall when you can easily prevent services from
being accessed...just stop the service! Don't bind to the port, and
it won't be possible to connect to it.

Because there are network services that you only want accessible locally.


Right, but the default firewall rules don't do that. By default maybe
the firewall should be off.


Or maybe the default firewall rules shouldn't be wide open, but should be local
instead... with the understanding that most people who do not know how to
effectively change their firewall ruleset are going to be working in a small
home network.


I wouldn't argue the default firewall rules are perfect, but turning it off
doesn't help anything at all. You say its just as good to turn the services
off... but its not. The firewall is a layer of protection in place if the
service is started unintentionally, or if a breach takes place and an open port
is hijacked for unintended purposes. Yes SELinux handles that, but with the
popularity of turning that off after install (still lots of people seem to do
that) the firewall is still a useful protection.


And the firewall also gives you traffic control and stateful packet inspection
which is valuable in itself; any running service should have SPI protecting it
whether its supposed to be open to the world or just local. Just preventing
ports from getting bound is not the same.


--
Andrew Farris <lordmorgul@gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 06:01 PM
Alexander Boström
 
Default Firewall and user services that needs open ports

mån 2008-06-23 klockan 12:58 -0400 skrev Chuck Anderson:

> Right, but the default firewall rules don't do that.

The default filrewall doesn't filter anything on the loopback interface,
does it? Or you mean traffic on an external interface but using a source
IP address of the host?

> By default maybe the firewall should be off.

Well, a firewall should only be an added protection. If you want a
caching nameserver locally then make sure it only binds to the loopback
interface even if you have a firewall. Same thing with sendmail. It only
listens locally by default, even though there's a firewall. That's how
it should be. Anything else is way too risky. A quick service iptables
stop shouldn't leave you wide open, just without a safety net.

It's probably good to have a firewall, but regular users needs a good
tool to manage it. The question is, what range of options does it need
and how much of the configuration can be automated?

Some thoughts:

Not everyone would want the /proc/sys/net/ipv4/ip_local_port_range open
for UDP/TCP/SCTP, but it should be an option, perhaps the default.

Options for specific service-related ports such as ssh or VNC. (Btw,
VNC, security and usability is unfortunately a topic for a whole
thread.)

Profiles for "server", "desktop" and so on.

Manage both iptables and ip6tables together.

Open ports automatically based on running services? Then what's the
point?

Perhaps a built-in view of listening sockets?

With sane defaults, users installing a desktop machine shouldn't have to
care about the firewall. And on server machines the sane defaults should
mean you have fairly good protection and only need to open up things for
services you start.

But yes, the above can be done with SELinux as well. Maybe that will
could actually provide a better user experience since you'd get error
messages when binding sockets instead of mostly silently dropped
packets.

/abo

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 06:56 PM
"Callum Lerwick"
 
Default Firewall and user services that needs open ports

On Mon, Jun 23, 2008 at 1:01 PM, Alexander Boström <abo@kth.se> wrote:


But yes, the above can be done with SELinux as well. Maybe that will

could actually provide a better user experience since you'd get error

messages when binding sockets instead of mostly silently dropped

packets.
Exactly my point. Rejecting the bind() call allows the app to present an understandable error, within the context of the application. With an interactive app it could provide a pretty GUI error dialog right then and there. The API we need is there already. We're just not using it.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 09:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org