[linux-elitists] Integrating the firewall and the package manager?

Karsten M. Self kmself@ix.netcom.com
Wed Apr 13 02:05:35 PDT 2005


on Wed, Apr 13, 2005 at 08:34:49PM +1200, Mark van Walraven (mvw@wave.co.nz) wrote:
> On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
> > Basically, the system boots up with all tables default
> > DROP.  Then, when any daemon starts, its init script
> > is responsible for setting up any rules necessary
> > for it to do its job.  If you start a local-only
> 
> I will raise a dissenting hand - I like having firewall rules hand-
> configured, so that when I (or any green "sysadmin" I have to pick up the
> pieces after) installs xdilbert[1] and dependencies pull in foo-server[2],
> I'm not exposing/allowing more services than I think I am to the world.

Sure, but you, sir, are special.  You're elite.  You're not the hoi
polloi.

Them folks, though, gots to have their systems done right for them.
That's where Don's concept is golden.  Allowing for an override
(/etc/defaults, anyone) to disable automated firewall rules is going to
have to be there.  But out of the box it should Just Work[tm].

The other win is for enterprise systems, where a automated firewall
ruleset simplifies things -- you _know_ what the default situation is,
rather than having to crawl through fnord knows how many lines of bash /
Perl / Ruby / Python or other scripting flavor of the month.
 
> Defense in depth, Hamming distance to vulnerability, rah, rah.  A
> handwave, obviously but please think of the number of systems that
> have apache or wu-ftpd installed unnecessarily.

Sane defaults.  Is Ubuntu among those which do?



Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    The Earth *is* flat.  But Mars is sharp and Venus is in tune, which
    makes up for it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050413/30ab2a47/attachment.pgp 


More information about the linux-elitists mailing list