[linux-elitists] Integrating the firewall and the package manager?

Mark van Walraven mvw@wave.co.nz
Wed Apr 13 01:34:49 PDT 2005


On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
> Basically, the system boots up with all tables default
> DROP.  Then, when any daemon starts, its init script
> is responsible for setting up any rules necessary
> for it to do its job.  If you start a local-only

I will raise a dissenting hand - I like having firewall rules hand-
configured, so that when I (or any green "sysadmin" I have to pick up the
pieces after) installs xdilbert[1] and dependencies pull in foo-server[2],
I'm not exposing/allowing more services than I think I am to the world.

Defense in depth, Hamming distance to vulnerability, rah, rah.  A
handwave, obviously but please think of the number of systems that have
apache or wu-ftpd installed unnecessarily.

Disclaimer: I am one of the very few people in the world that thinks
that /etc/init.d/iptables is a good idea ...

[1] Made up.

[2] The one that slipped in with ./configure --do-it-to-me-baby, fixed
    in the source upload but still waiting for the buildds to catch up.

Cheers,

Mark.



More information about the linux-elitists mailing list