[linux-elitists] Integrating the firewall and the package manager?
Karsten M. Self
Wed Apr 13 12:50:37 PDT 2005
on Wed, Apr 13, 2005 at 09:53:54PM +1000, Martin Pool (email@example.com) wrote:
> On Wed, 2005-04-13 at 02:05 -0700, Karsten M. Self wrote:
> > on Wed, Apr 13, 2005 at 08:34:49PM +1200, Mark van Walraven (firstname.lastname@example.org) wrote:
> > > On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
> > > > Basically, the system boots up with all tables default
> > > > DROP. Then, when any daemon starts, its init script
> > > > is responsible for setting up any rules necessary
> > > > for it to do its job. If you start a local-only
> Nice idea. If there is a flaw it is this: firewall rules are often seen
> as a check that no extra services got started accidentally.
You're an elitist:
# netstat -lvp
> At least on Debian it has happened several times that installing or
> upgrading a package will cause the daemon to start when I didn't want
> it. So automatically allowing connections would partially defeat the
Once you've got automated FW rules, a control panel facility to view
open ports (and associated services) becomes trivial. Which addresses
the non-elitist crowd, largely.
What are you doing allowing new services to be installed w/o checking?
Sounds like sloppiness on your part.
> What might be nice is to have the daemon claim responsibility for
> those ports, so some kind of interface can say "do you want to allow
> connections", or "this daemon can't be used because..."
Right, and a FW override option. With enough smarts that if you *do*
install the service, you're also informed that it won't run properly
because of the FW port blocking.
Another nice-to-have would be a wrapper that lets you test services and
find out what, if any, FW rules are interfering with their operation.
I'm thinking of auto-apt and its 'run' option which detects access to
files known to the package management system.
> > > Defense in depth, Hamming distance to vulnerability, rah, rah. A
> > > handwave, obviously but please think of the number of systems that
> > > have apache or wu-ftpd installed unnecessarily.
> > Sane defaults. Is Ubuntu among those which do?
> I'm pretty sure neither is installed and no ports are listening by
> default. (But i have not done a fresh install just to check.)
Actually, no ports by default, I had to add/install ssh to get a daemon
running. Also no FW, which the Wiki justifies on the grounds that there
are no services by default. Something of a cop-out, Don's suggestion
would be a nice way of addressing this.
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Iomega: click of death, Jaz Junk, and now, NAS? Not!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050413/02a6ecd9/attachment.pgp
More information about the linux-elitists