Re: [opensuse] Interactive Firewall Needed

On Tuesday 05 May 2009 09:34:11 pm L. V. Lammert wrote:
On Tue, 5 May 2009, Rajko M. wrote:
On Tuesday 05 May 2009 05:24:05 pm Carlos E. R. wrote:

The request for someone to learn firewall internals in order to open
ports is the same as to ask car owner to know how to tune cars in order
to use them. Some will do that, but majority see car as a way to go from
point A to point B, not a bit more.

Sorry, you have missed the support equation entirely! A *USER* should
never be asked to open a port, as that request might have come from some
malicious program!

It seems that you never used personal firewall in that other OS, at least not
paid for version. User is asked would he let application [name] to access
Internet, with offer to give more details if user wants. So, if you see some
application attempting to access Internet, and you are not sure, you click
link to more information and read what firewall creators have to say.

Can you imagine better option for user that is not specialist for computers?

You can argue that Windows users are used to OK everything, but such user will
ask how to disable firewall, and knowing helpful Linux guys, he will get
information, or he will not ask anything and trash Linux.

If they KNOW it is a valid request, it's only three or four mouse clicks
to turn on that port - no internal knowledge needed.

How would they know?
Today even kwrite is networked, and second, how you as new to Linux should
know which application is benevolent and which not.

Which port?
Applications try to access port, but never tell you which. Some, after failed
attempts will tell you what ports are needed, but not many.

Having program that will monitor all ports and notify user that some
application wants to go out is not out of mind. That is way better option
then having all ports closed making application to fail, or forcing
user to shut down the firewall.

Sorry, not true either. The system comes configured with standard ports
open, and any other required ports would be opened at installation.

Well if applications are installed that way why we have those that like Samba
fail royally on my own LAN? CUPS don't work on the same LAN, and probably
more.

Under normaly circumstances, the user would never see a request to open a
port; if he/she DOES, it is higly likely that some malicous application is
the cause, OR a new application is being installed, which should have been
monitored by a qualified professional anyway.

Should I hire qualified professional to make Samba or CUPS working?

I'm sure, if I would be lesser do-it-yourself guy, I will take another
approach, ditch the non working OS and go back to working.

Continue to pay for firewall that is a bit more verbose than Linux one, pay
for antivirus software, have normal user for everything, but administration,
apply common sense in other activities, like don't open attachments, don't
visit dark corners of the web, and have OS that prints when I want, connects
to other computers on LAN without asking me for PhD in couple of computer
disciplines.

What that monitor will do is the same as user will do with much more
hassle. It will record port, destination IP and application name. Notify
user and after, [yes], [yes, log traffic], or [no], perform action.

No, no, no! Training users to always click on the "YES" button is
absolutely no security at all. Why do you think Vista had so many
problems? USERS are not qualified to make a security decision.

Users that always OK without reading you can't protect.
They sign more serious things without reading them.
That is just kind of people, that jump first and then hope that all will end
good.

Harassing the rest would not increase computer security a bit.

Although, I can agree that asking user to decide should some application go to
Internet, without providing additional informational resources, is equivalent
of training them to click OK. The solution is not to give ability to poke the
hole in firewall, without providing additional information to those that ask
for.

IMHO, the second part of solution is actually more demanding on developers,
then the first. It requires permanent maintenance and update of information.
Taking current problems with similar tasks, like providing current application
manuals and troubleshooting guides, it seems that we will wait a bit until
community builds resources for such task.

--
Regards, Rajko
http://news.opensuse.org/category/people-of-opensuse/

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Relevant Pages

  • Re: [Firewalls] Checkpoint FW-1 - Static NAT
    ... These services perform port mapping. ... destination port and IP address of a connection can be changed. ... After installing the new policy on the target Firewall Module, ... One to the internet, and the other to ...
    (comp.security.firewalls)
  • Re: Inaccessible Port 80 - Pentest
    ... donot think a firewall would block be blocking. ... A mixture of layer 3 port filtering to restrict you to port 80 would seem to ... Internet, open one port on it and then block it from public use? ...
    (Pen-Test)
  • Re: Safe practices
    ... Assume I'm logged in to my Linux system as a normal user. ... System is stand-alone, non-networked, but connected to internet via ... Someone might try to get to you through a port used for other purposes ... Your 'su root' at your console:- You are in a different thread to the rest ...
    (alt.os.linux)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • RE: seeking a better understanding
    ... were to breach that port, could they do more than deface my website? ... or do I need a middle box running some form of firewall ... Other boxes are Linux. ... use on a linux machine, and do the spot trojans as the MS ones do? ...
    (Security-Basics)