[linux-elitists] Integrating the firewall and the package manager?
Karsten M. Self
Sat Apr 30 13:35:23 PDT 2005
on Sun, May 01, 2005 at 04:22:58AM +1000, Mike MacCana (firstname.lastname@example.org) wrote:
> Mark van Walraven wrote:
> >On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
> >>Basically, the system boots up with all tables default
> >>DROP. Then, when any daemon starts, its init script
> >>is responsible for setting up any rules necessary
> >>for it to do its job. If you start a local-only
> >I will raise a dissenting hand - I like having firewall rules hand-
> >configured, so that when I (or any green "sysadmin" I have to pick up the
> >pieces after) installs xdilbert and dependencies pull in foo-server,
> >I'm not exposing/allowing more services than I think I am to the world.
> But the user's already selected what rules they want by specifically
> electing the service starts by default in that runlevel.
Presumes the service is intentionally started by the user.
Well-known privileged ports assume root access already, but there are
plenty of unprivileged, high-numbered ports I wouldn't mind being able
to preemptively block from f*ckwittage, malware, or incompetence.
Too: I've heard that GNU/Linux can be run as a multiuser system, though
for the life of me, I can't think of why anyone would want to to that,
or anyone who does.
> If packages are starting network services (that listen on more than
> localhost) by default, that's a bug in that package and should be fixed
> in the package.
Good policy, bad assumption.
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
No one has ever done anything like this.
Yeah? That's why it's going to work.
- The Matrix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050430/80f0874e/attachment.pgp
More information about the linux-elitists