On Thu, Aug 16, 2007 at 03:42:07PM -0700, Russ Allbery wrote: > "R. W. Rodolico" <[EMAIL PROTECTED]> writes: > > > At this point, I disagree. Unfortunately, I have to point to some of the > > user oriented firewalls you get for windoze (which, to my knowledge, > > Linux does not have). When they are installed, the shut down basically > > everything incoming, and all but a few standard outgoing ports (http, > > smtp, pop and imap). When an application tries to go out of another > > port, a pop-up informs the user and they can choose to accept, accept or > > reject, with a "forever" modifier on both, and the firewall changes its > > rules appropriately. > > > For un-informed users, this is a good thing. > > Well, I certainly disagree that the pop-up prompts are at all useful or > offer any real security. Time and time again, studies of user interaction > with security software have shown that this sort of security interaction > is essentially useless. > > The only thing here that offers any real security protection is the > default denial of all incoming traffic. And that just returns to my > previous point, which is that the best and safest way to do that is to not > listen to network traffic in the first place, rather than installing some > daemon that listens to network traffic and then turning it off with a > firewall. It's making the decision in the wrong place, and it's simply > sloppy security thinking.
that depends. perhaps, if you are going to make potential network servers that could also have a local use install listening on the loopback only. so mysql would install listening to the loopback only. perhaps an ftp server might be a reasonable example of something that could install as listening on the network. and if you're going to make it so that clicking on "Home Desktop" or whatever the option is in tasksel still results in an install that doesn't listen to the network, then that is at least consistent. Appealing to the fact that a minimal install has nothing listening on a network port when a typical desktop install will drag in at least avahi ... But really, networks are pervasive and unavoidable. We have to get past this 80s-style, TSEC-style, black & white way of approaching networks and come up with something practical. networks are what people have computers for these days. air gaps are the exception. Do ordinary folk really *need* to grok rp_filter ? Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
