[linux-elitists] Integrating the firewall and the package manager?

Karsten M. Self kmself@ix.netcom.com
Sat Apr 30 13:35:23 PDT 2005

on Sun, May 01, 2005 at 04:22:58AM +1000, Mike MacCana (mmaccana@redhat.com) wrote:
> Mark van Walraven wrote:
> >On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
> > 
> >
> >>Basically, the system boots up with all tables default
> >>DROP.  Then, when any daemon starts, its init script
> >>is responsible for setting up any rules necessary
> >>for it to do its job.  If you start a local-only
> >>   
> >>
> >
> >I will raise a dissenting hand - I like having firewall rules hand-
> >configured, so that when I (or any green "sysadmin" I have to pick up the
> >pieces after) installs xdilbert[1] and dependencies pull in foo-server[2],
> >I'm not exposing/allowing more services than I think I am to the world.
> > 
> >
> But the user's already selected what rules they want by specifically 
> electing the service starts by default in that runlevel.

Presumes the service is intentionally started by the user.

Well-known privileged ports assume root access already, but there are
plenty of unprivileged, high-numbered ports I wouldn't mind being able
to preemptively block from f*ckwittage, malware, or incompetence.

Too:  I've heard that GNU/Linux can be run as a multiuser system, though
for the life of me, I can't think of why anyone would want to to that,
or anyone who does.
> If packages are starting network services (that listen on more than 
> localhost) by default, that's a bug in that package and should be fixed 
> in the package.

Good policy, bad assumption.


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    No one has ever done anything like this.
    Yeah?  That's why it's going to work.
    - The Matrix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050430/80f0874e/attachment.pgp 

More information about the linux-elitists mailing list