[linux-elitists] Integrating the firewall and the package manager?

Mike MacCana mmaccana@redhat.com
Sun May 1 06:11:16 PDT 2005


Karsten M. Self wrote:

>on Sun, May 01, 2005 at 04:22:58AM +1000, Mike MacCana (mmaccana@redhat.com) wrote:
>  
>
>>Mark van Walraven wrote:
>>
>>    
>>
>>>On Tue, Apr 12, 2005 at 11:28:06AM -0700, Don Marti wrote:
>>>
>>>
>>>      
>>>
>>>>Basically, the system boots up with all tables default
>>>>DROP.  Then, when any daemon starts, its init script
>>>>is responsible for setting up any rules necessary
>>>>for it to do its job.  If you start a local-only
>>>>  
>>>>
>>>>        
>>>>
>>>I will raise a dissenting hand - I like having firewall rules hand-
>>>configured, so that when I (or any green "sysadmin" I have to pick up the
>>>pieces after) installs xdilbert[1] and dependencies pull in foo-server[2],
>>>I'm not exposing/allowing more services than I think I am to the world.
>>>
>>>
>>>      
>>>
>>But the user's already selected what rules they want by specifically 
>>electing the service starts by default in that runlevel.
>>    
>>
>
>Presumes the service is intentionally started by the user.
>  
>
Presumes the app is packages correctly, yes.

>Too:  I've heard that GNU/Linux can be run as a multiuser system, though
>for the life of me, I can't think of why anyone would want to to that,
>or anyone who does.
>  
>
You mean the average desktop user doesn't find Ctrl Alt F1, username, 
passwd, 'startx -- :1' intuitive?!?!


Gnome/GDM seem to have sorted that out recently tho.

>>If packages are starting network services (that listen on more than 
>>localhost) by default, that's a bug in that package and should be fixed 
>>in the package.
>>    
>>
>
>Good policy, bad assumption.
>  
>
Common practice from what I've seen YMOV (the O standing for obviously). 
Again, I think having the user specifically elect to do things twice is 
a Bad Thing, and keeping it outside the service file due to policy 
problem is a technical solution to a policy issue, and hence won't work.

Mike



More information about the linux-elitists mailing list