[linux-elitists] Integrating the firewall and the package manager?

Martin Pool mbp@sourcefrog.net
Wed Apr 13 04:53:54 PDT 2005


On Wed, 2005-04-13 at 02:05 -0700, Karsten M. Self wrote:
> on Wed, Apr 13, 2005 at 08:34:49PM +1200, Mark van Walraven (mvw@wave.co.nz) wrote:
> > On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
> > > Basically, the system boots up with all tables default
> > > DROP.  Then, when any daemon starts, its init script
> > > is responsible for setting up any rules necessary
> > > for it to do its job.  If you start a local-only

Nice idea.  If there is a flaw it is this: firewall rules are often seen
as a check that no extra services got started accidentally.  At least on
Debian it has happened several times that installing or upgrading a
package will cause the daemon to start when I didn't want it.  So
automatically allowing connections would partially defeat the point.

What might be nice is to have the daemon claim responsibility for those
ports, so some kind of interface can say "do you want to allow
connections", or "this daemon can't be used because..."

> > Defense in depth, Hamming distance to vulnerability, rah, rah.  A
> > handwave, obviously but please think of the number of systems that
> > have apache or wu-ftpd installed unnecessarily.
> 
> Sane defaults.  Is Ubuntu among those which do?

I'm pretty sure neither is installed and no ports are listening by
default.  (But i have not done a fresh install just to check.)

-- 
Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050413/5907ae0e/attachment.pgp 


More information about the linux-elitists mailing list