-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 1/22/14, 11:34 AM, André Warnier wrote: > Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Konstantin, >> >> On 1/22/14, 9:03 AM, Konstantin Preißer wrote: >>> Hi Jeffrey, >>> >>>> -----Original Message----- From: Jeffrey Janner >>>> [mailto:jeffrey.jan...@polydyne.com] Sent: Tuesday, January >>>> 21, 2014 10:19 PM Eureka, I finally figured it out! It was a >>>> real eureka moment, some remembrance burned its way up from >>>> my subconscious and I had the answer. Ready guys? Really >>>> surprised no one mentioned it. It was Windows F-ing >>>> Firewall!!!!! >>> Good to hear that you could find and solve the problem. >>> >>> (Off topic:) >>> >>>> I HATE WINDOWS!!!!!! >>> What I can't quite understand is, how one can "hate" Windows or >>> its "F-ing" firewall, if they just do what they were configured >>> to do... ;-) >>> >>> When setting up the Windows Firewall, I normally only create >>> rules for specific (TCP) ports, not for specific executables, >>> so that the firewall allows connections to a TCP port >>> regardless of what the name or path of the executable is. >> >> Actually, as surprising as it can sometimes be, I find that the >> Windows firewall is better than iptables *because* it /can/ do >> things like this. You can make your system a bit safer. >> >> For instance, if your server is compromised (yes, I know, once >> you're owned, you're owned) and the attacker installs some >> malware of some kind, that malware will not be able to bind to a >> port or even make outgoing connections, even on "standard" >> outgoing ports -- for instance HTTP. >> >> Lots of malware connects to external C&C servers to give >> instructions, and the Windows wirewall makes it easy to prevent >> that from happening even when ports like 80 are used -- and >> typically left wide-open on servers. >> > > Of course, one could argue that the Windows Firewall needs to > offer this, because it is inherently easier to infect with malware > a Windows server than a Linux server. So it needs to compensate > somehow.. Amusing, but I do disagree. SELinux evidently has this feature, though I know nothing about it and have no SELinux experience. Also, US-NSA evidently pwns SELinux so I'm not sure how truly secure it is. It's probably better than the alternative(s), but it's sad that those folks can't help legitimately-secure computer systems for everyone. *sigh* - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS4TBRAAoJEBzwKT+lPKRYDj8QAJMFNjW/oGulOEFUcUeK2lzN OGpW2iicU03pJNgPmb1KN43jevLW+QNNfsKRhSOw29hrNf3e18/SPDlioka5VhRj jRL36z7rJwb29VczGTDydltddtZ6E57jetW+nHEPk6CLcknLbHsfCbMC+CZXZzwu VYzKCYOI9xIf1VxnWba8xDX/BIF2eHXPZy/sEsjyhi8W1mSVmLxmuz7V/fDsJGV8 xWXFtlxgOyvdiCkXyaUxXC6NnEI9i20Lq8DgjzXZM5t0sPoRV8KZ3Vt5rHR7uZH2 TsHU9vNaHkQgDCgutwqYi2LLbXzt06DypV7g+eiDki9lg37N847ceokQDOEPmqvT XRjnpGQO9h/Hzgk56EFQrxgAjlKnC0JN6sVLHwkhczLmLeFrJyKnrYFL69qsmvgl SAXDGYtMw5ysJk/41Ufa+bzlNcpql6kk6UmsLO+CeEOm3iBmO0Yd4lw/XnXA8D46 70pphSC3vYbd7hpUn4yN/t/tWiGKzyY8A0maOXLODVDnUs3NUwv9+zDKsI9j77LG MwLIfsKWXDnocpoBDNCj74o26OiZH957wczbkvOQ5kI37007fBguwDB1YB09eU+L ZlDb7yaXEq9QzQv5OJZPhz1pt+36rMFlzPEYBrNRizIsjY03x2gfV9kz2LTMWgGj ZsZiFOkXA2kGQAjdfL6v =DJ+j -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
