[PLUG] VNC, SSH, and iptables [was: Transfering mozilla mail and newsgroup settings fromlinux to windows]

William Kenworthy billk at iinet.net.au
Sun May 9 20:42:24 WST 2004


After recently watching then saying my piece on the gentoo lists about
this I'll bite:

Defence in depth!  Yes a machine can be made secure (and should be
within reason) without a firewall, but:

If you can guarantee, perfectly that you or anyone else will never, ever
misconfigure your system, run an anonymous ftp server accidentally,
never use xhost+ when fault finding, never install a webserver (I am
thinking of zope, cups, CDWebwriter and numerous other "helpful"
applications - are you sure, very sure, and re-check every time you
change something they are only locally accessible?), never use a browser
(i.e., the recent posts about wine running a doze trojan),  then you may
possibly temporally make do without a firewall - but please think of
fellow web users and treat the machine as unclean, and untrusted. - for
example would you trust your internet banking to this machine knowing
that it could be open?

A firewall isnt perfect, and neither is any other method short of
pulling the network cable and never attaching it again - do the sums and
you will find a firewall is a small investment in time (and zero dollars
in the case of linux) with a possibly huge benefit - treat it like
insurance - one day you may be glad that you have it, and in all
likelyhood you may never notice the protection that it has given you.

It is also worth mentioning the logging capabilities of a firewall which
is a powerful tool for security and monitoring as well.

BillK

On Sun, 2004-05-09 at 19:53, James Devenish wrote:
> In message <20040509114422.1A1314160BE at ws5-2.us4.outblaze.com>
> on Sun, May 09, 2004 at 07:44:22PM +0800, Ari Finander wrote:
> > 1. Open a hole in the Fedora firewall for SSH (putty) from my laptop.
> 
> I would be disturbed if Febora actually needed a firewall by default, as
> operating systems with sane defaults don't need firewalls by default
> (everyone probably disagrees with me, and I would be interested to know
> the counterarguments, as 'personal firewalls' seem like some sort of fad
> to me).
> 





More information about the plug mailing list