[linux-elitists] Integrating the firewall and the package manager?

Karsten M. Self kmself@ix.netcom.com
Wed Apr 13 12:50:37 PDT 2005


on Wed, Apr 13, 2005 at 09:53:54PM +1000, Martin Pool (mbp@sourcefrog.net) wrote:
> On Wed, 2005-04-13 at 02:05 -0700, Karsten M. Self wrote:
> > on Wed, Apr 13, 2005 at 08:34:49PM +1200, Mark van Walraven (mvw@wave.co.nz) wrote:
> > > On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
> > > > Basically, the system boots up with all tables default
> > > > DROP.  Then, when any daemon starts, its init script
> > > > is responsible for setting up any rules necessary
> > > > for it to do its job.  If you start a local-only
> 
> Nice idea.  If there is a flaw it is this: firewall rules are often seen
> as a check that no extra services got started accidentally.  

You're an elitist:

    # netstat -lvp

> At least on Debian it has happened several times that installing or
> upgrading a package will cause the daemon to start when I didn't want
> it.  So automatically allowing connections would partially defeat the
> point.

Once you've got automated FW rules, a control panel facility to view
open ports (and associated services) becomes trivial.  Which addresses
the non-elitist crowd, largely.

What are you doing allowing new services to be installed w/o checking?
Sounds like sloppiness on your part.
 
> What might be nice is to have the daemon claim responsibility for
> those ports, so some kind of interface can say "do you want to allow
> connections", or "this daemon can't be used because..."

Right, and a FW override option.  With enough smarts that if you *do*
install the service, you're also informed that it won't run properly
because of the FW port blocking.

Another nice-to-have would be a wrapper that lets you test services and
find out what, if any, FW rules are interfering with their operation.
I'm thinking of auto-apt and its 'run' option which detects access to
files known to the package management system.
 
> > > Defense in depth, Hamming distance to vulnerability, rah, rah.  A
> > > handwave, obviously but please think of the number of systems that
> > > have apache or wu-ftpd installed unnecessarily.
> > 
> > Sane defaults.  Is Ubuntu among those which do?
> 
> I'm pretty sure neither is installed and no ports are listening by
> default.  (But i have not done a fresh install just to check.)

Actually, no ports by default, I had to add/install ssh to get a daemon
running.  Also no FW, which the Wiki justifies on the grounds that there
are no services by default.  Something of a cop-out, Don's suggestion
would be a nice way of addressing this.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Iomega:  click of death, Jaz Junk, and now, NAS?  Not!
     http://www.google.com/search?q=iomega+jaz+drive+failure
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050413/02a6ecd9/attachment.pgp 


More information about the linux-elitists mailing list