[PLUG] VNC, SSH, and iptables [was: Transfering mozilla mail and newsgroup settings fromlinux to windows]
James Devenish
devenish at guild.uwa.edu.au
Mon May 10 07:47:24 WST 2004
Is suspect it's not worth follow up after Bill's latest post, but on
the other hand there were some specific questions raised:
In message <20040509152616.GB11030 at patrick.wattle.id.au>
on Sun, May 09, 2004 at 11:26:16PM +0800, Cameron Patrick wrote:
> Why is "allow all connections from inside the firewall" a particularly
> security-defeating approach?
Someone mentioned an idea about being "courteous" to other Internet
users. The above would not fall into the "courteous" category, since it
does not protect other users from a compromised machine. It also doesn't
stop applications from "phoning home" and it doesn't stop Internet media
clients from downloading content without your consent. I'm not saying
it's not useful (you'd be pretty stuck if you couldn't make outbound
connections!), but that you're facilitating the sort of behaviour that
exists in the absence of your firewall.
> it does provide real protection against outsiders accessing insecure
> or poorly configured servers running on the local machine.
Coming back to one of my points: I would be disturbed if Fedora's
defaults were so bad that it benefits from a firewall (e.g. if you
install CUPS, how is it configured?). So, the firewall might then be
useful for people who are 'experimenting' with daemons. If you're
running Zope to learn it on your localhost, you should be able to rely
on its default configuration. If you're running it for the benefit of
the Internet, you're going to want to defeat your firewall anyway. If
you're running it for use only on your local Internet, then you need to
start getting sophisticated (how do I allow access to some users and not
others?, etc, and you need to configure a 'firewall' specifically for
this -- and remember, my beef is with personal-firewalls-by-default).
> | About the only worthwhile excuse for a personal firewall that springs to
> | my mind is to protect against programming errors in file sharing
> | services.
> I'm afraid I can't really see where you're coming from here; your
> mention of "file sharing services" is rather vague and I can't see how
> is related to firewalls.
For an example, see your own comment:
> For example, it's quite likely that a stock Debian system used as a
> desktop will be running a portmap daemon...NFS
More information about the plug
mailing list