[PLUG] VNC, SSH, and iptables [was: Transfering mozilla mail and newsgroup settings fromlinux to windows]
Bill Kenworthy
billk at iinet.net.au
Mon May 10 09:29:21 WST 2004
On Mon, 2004-05-10 at 07:47, James Devenish wrote:
> Is suspect it's not worth follow up after Bill's latest post, but on
> the other hand there were some specific questions raised:
>
> In message <20040509152616.GB11030 at patrick.wattle.id.au>
> on Sun, May 09, 2004 at 11:26:16PM +0800, Cameron Patrick wrote:
> > Why is "allow all connections from inside the firewall" a particularly
> > security-defeating approach?
>
I agree that this a problem with all the iptables configs (inc mine) I
have seen. I think there are enough modules available for iptables now
to build packet inspection and also verify application requests for
network access, but I have not come across any implementations yet.
Perhaps someone here can list:
a) scripts that can per application allow ports as they are requested
(seen this in the past for ipchains, but not iptables)
b) scripts that can examine outgoing packets for text strings such as
name and address info - not sure how much use this is as applications
that do this would probably encrypt the info these days, but it has
other uses as well.
...
> Coming back to one of my points: I would be disturbed if Fedora's
> defaults were so bad that it benefits from a firewall (e.g. if you
> install CUPS, how is it configured?). So, the firewall might then be
Mistakes happen - You hope that manufacturers do vet each application
for this, but they are only human too - the number of security alerts
for each distro is evidence that this aspect is not easy!
BillK
More information about the plug
mailing list