FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 05-05-2010, 08:24 AM
Yaakov Nemoy
 
Default Firewall

2010/5/5 Bastien Nocera <bnocera@redhat.com>:
> I'm already discussing this behind closed doors with a few people,
> including some RH security people. I'll restart the "negotiations" this
> week.

Why is this discussion happening in private?

-Yaakov
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-05-2010, 09:05 AM
Bastien Nocera
 
Default Firewall

On Wed, 2010-05-05 at 10:24 +0200, Yaakov Nemoy wrote:
> 2010/5/5 Bastien Nocera <bnocera@redhat.com>:
> > I'm already discussing this behind closed doors with a few people,
> > including some RH security people. I'll restart the "negotiations" this
> > week.
>
> Why is this discussion happening in private?

Because it's already painful enough as it is. I'm not interested in a
mega-thread with everybody contributing, but nobody taking charge. I
want to have something concrete to present before asking for comments.

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-05-2010, 08:46 PM
Will Woods
 
Default Firewall

On Wed, 2010-05-05 at 10:05 +0100, Bastien Nocera wrote:
> On Wed, 2010-05-05 at 10:24 +0200, Yaakov Nemoy wrote:
> > 2010/5/5 Bastien Nocera <bnocera@redhat.com>:
> > > I'm already discussing this behind closed doors with a few people,
> > > including some RH security people. I'll restart the "negotiations" this
> > > week.
> >
> > Why is this discussion happening in private?

There's nothing wrong with consulting with experts in private, coming up
with solid plans on your own, and then presenting those plans - or even
better, an implementation of those plans - to the community for review.

I think we'd all be better served if more ideas were developed this way:
research, then prototype, *then* discuss.

Starting with the discussion seems to get us nowhere, and you know what
they say about Design by Committee..

-w

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-06-2010, 05:54 AM
charles zeitler
 
Default Firewall

Do what thou wilt
shall be the whole of the Law.


On 5/5/10, Bastien Nocera <bnocera@redhat.com> wrote:
> On Wed, 2010-05-05 at 10:24 +0200, Yaakov Nemoy wrote:
>> 2010/5/5 Bastien Nocera <bnocera@redhat.com>:
>> > I'm already discussing this behind closed doors with a few people,
>> > including some RH security people. I'll restart the "negotiations" this
>> > week.
>>
>> Why is this discussion happening in private?
>
> Because it's already painful enough as it is. I'm not interested in a
> mega-thread with everybody contributing,

<sarcasm>nope. you don't want too many contributions.....</sarcasm>

> but nobody taking charge.

doesn't seem to be a problem here.

I
> want to have something concrete to present before asking for comments.
>


charles zeitler




Love is the law, love under will.
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-06-2010, 06:22 AM
Christoph Wickert
 
Default Firewall

Am Dienstag, den 04.05.2010, 23:54 +0100 schrieb Bastien Nocera:

> We really only block incoming communications right now, and it's
> probably as much of a security risk as opening all the ports, as far as
> I'm concerned.

Why is closing ports a security risk?

Regards,
Christoph

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-06-2010, 07:04 AM
Rudolf Kastl
 
Default Firewall

2010/5/6 Christoph Wickert <christoph.wickert@googlemail.com>:
> Am Dienstag, den 04.05.2010, 23:54 +0100 schrieb Bastien Nocera:
>
>> We really only block incoming communications right now, and it's
>> probably as much of a security risk as opening all the ports, as far as
>> I'm concerned.
>
> Why is closing ports a security risk?

you understood it wrongly... actually only filtering incoming ports is
a one sided thing. a real firewall setup filters both direction.
turning filtering off completly though is even for a desktop a touch
decision. there are still people who do not have a nat router but are
connected to the net directly. and filtering off by default will be a
security issue for their desktops... i am curious what argumentation
chain will come up to disable filtering completly by default and how
it doesent help those users in having a more secure box by default,
even if they turn on some services for virtual machines or other
crosslinked boxes. lets see.

kind regards,
Rudolf Kastl
rhce rhca rhcss rhcx

>
> Regards,
> Christoph
>
> --
> desktop mailing list
> desktop@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/desktop
>
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-06-2010, 07:05 AM
Rudolf Kastl
 
Default Firewall

2010/5/6 Rudolf Kastl <che666@gmail.com>:
> 2010/5/6 Christoph Wickert <christoph.wickert@googlemail.com>:
>> Am Dienstag, den 04.05.2010, 23:54 +0100 schrieb Bastien Nocera:
>>
>>> We really only block incoming communications right now, and it's
>>> probably as much of a security risk as opening all the ports, as far as
>>> I'm concerned.
>>
>> Why is closing ports a security risk?
>
> you understood it wrongly... actually only filtering incoming ports is
> a one sided thing. a real firewall setup filters both direction.
> turning filtering off completly though is even for a desktop a touch

i meant tough of course. *slowly wakes up*

> decision. there are still people who do not have a nat router but are
> connected to the net directly. and filtering off by default will be a
> security issue for their desktops... i am curious what argumentation
> chain will come up to disable filtering completly by default and how
> it doesent help those users in having a more secure box by default,
> even if they turn on some services for virtual machines or other
> crosslinked *boxes. lets see.
>
> kind regards,
> Rudolf Kastl
> rhce rhca rhcss rhcx
>
>>
>> Regards,
>> Christoph
>>
>> --
>> desktop mailing list
>> desktop@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/desktop
>>
>
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-07-2010, 08:48 AM
Yaakov Nemoy
 
Default Firewall

2010/5/5 Bastien Nocera <bnocera@redhat.com>:
> On Wed, 2010-05-05 at 10:24 +0200, Yaakov Nemoy wrote:
>> 2010/5/5 Bastien Nocera <bnocera@redhat.com>:
>> > I'm already discussing this behind closed doors with a few people,
>> > including some RH security people. I'll restart the "negotiations" this
>> > week.
>>
>> Why is this discussion happening in private?
>
> Because it's already painful enough as it is. I'm not interested in a
> mega-thread with everybody contributing, but nobody taking charge. I
> want to have something concrete to present before asking for comments.

I can definitely understand why you want to do things this way. Given
alot of the 'discussion' going on around several mailing lists, i
think that in order to solve the problems you're looking to solve,
it's probably more efficient to do it this way. That said, it seems to
go completely against what we talk about about how open source
development should be done as much in the open as possible. I don't
mean to be critical of you, or that you're willing to Get Shit Done
(tm), but it really makes me wonder that if you have to resort to
internal to RH development to avoid having your time grossly wasted,
what are we doing wrong in Fedora in general.

-Yaakov
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-07-2010, 10:12 AM
Bastien Nocera
 
Default Firewall

----- "Yaakov Nemoy" <loupgaroublond@gmail.com> wrote:
> I can definitely understand why you want to do things this way. Given
> alot of the 'discussion' going on around several mailing lists, i
> think that in order to solve the problems you're looking to solve,
> it's probably more efficient to do it this way. That said, it seems
> to
> go completely against what we talk about about how open source
> development should be done as much in the open as possible. I don't
> mean to be critical of you, or that you're willing to Get Shit Done
> (tm), but it really makes me wonder that if you have to resort to
> internal to RH development to avoid having your time grossly wasted,
> what are we doing wrong in Fedora in general.

This is definitely not a RH-only thing. I just knew that I would get the answers I needed from the people I mailed.

If you must know, I mailed Lennart (for Avahi), Dan Williams (for NetworkManager), Thomas Woerner (system-config-firewall maintainer), the man responsible for security policies in RHEL (so we get buy-in, and engineering time if necessary), and a few others.

I knew that those people would end up being the ones doing the work, if we could agree on something, so it's only fair that they are included in the discussions, and I didn't want people to tell me what colour the shed should be painted.

To be honest, this is also a harder discussion than some others for the desktop, because the interaction and security needs are tightly bound together (I'm trying to get less popups and dialogues, but security guys want everything vouched for by the user), so we're trying to find technical ways to make the UI better, which is certainly not the best way to go about things.

Right now, it's mostly been quite uninteresting, but I'll make sure to drop a mail on fedora-devel if and when we want to make the changes.

Cheers
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-07-2010, 11:12 AM
Yaakov Nemoy
 
Default Firewall

2010/5/7 Bastien Nocera <bnocera@redhat.com>:
> ----- "Yaakov Nemoy" <loupgaroublond@gmail.com> wrote:
>> I can definitely understand why you want to do things this way. Given
>> alot of the 'discussion' going on around several mailing lists, i
>> think that in order to solve the problems you're looking to solve,
>> it's probably more efficient to do it this way. That said, it seems
>> to
>> go completely against what we talk about about how open source
>> development should be done as much in the open as possible. I don't
>> mean to be critical of you, or that you're willing to Get Shit Done
>> (tm), but it really makes me wonder that if you have to resort to
>> internal to RH development to avoid having your time grossly wasted,
>> what are we doing wrong in Fedora in general.
>
> This is definitely not a RH-only thing. I just knew that I would get the answers I needed from the people I mailed.
>
> If you must know, I mailed Lennart (for Avahi), Dan Williams (for NetworkManager), Thomas Woerner (system-config-firewall maintainer), the man responsible for security policies in RHEL (so we get buy-in, and engineering time if necessary), and a few others.
>
> I knew that those people would end up being the ones doing the work, if we could agree on something, so it's only fair that they are included in the discussions, and I didn't want people to tell me what colour the shed should be painted.
>
> To be honest, this is also a harder discussion than some others for the desktop, because the interaction and security needs are tightly bound together (I'm trying to get less popups and dialogues, but security guys want everything vouched for by the user), so we're trying to find technical ways to make the UI better, which is certainly not the best way to go about things.
>
> Right now, it's mostly been quite uninteresting, but I'll make sure to drop a mail on fedora-devel if and when we want to make the changes.

Thanks for being transparent. I do believe you are trying to do what's
best, and i appreciate it every way.

-Yaakov
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 

Thread Tools




All times are GMT. The time now is 07:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org