Re: Blasted Suse Firewall
From: Paul J Gans (gans_at_panix.com)
Date: 01/16/05
- Next message: Kevin Nathan: "Re: 9.1 -> 9.2? --> ini_install CD, but did not get anywhere!"
- Previous message: ray: "Re: Dual Monitor"
- In reply to: AT: "Re: Blasted Suse Firewall"
- Next in thread: Sven Lossman: "Re: Blasted Suse Firewall"
- Reply: Sven Lossman: "Re: Blasted Suse Firewall"
- Reply: AT: "Re: Blasted Suse Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 16 Jan 2005 04:13:53 +0000 (UTC)
AT <notme@example.com> wrote:
>On Wed, 12 Jan 2005 17:58:04 +0000, Paul J Gans wrote:
>> baskitcaise <baskitcaise@hotmail.com> wrote:
>>>Lee Bouknight adjusted his/her tin foil beanie and asbestos underwear to
>>>write:
>>
>>>Come on chaps even M$ has learned that having a firewall "On" by default
>>>is a good idea, what you are asking for is an open machine or relay on
>>>every install.
>>
>>>What about the newb who uses something like a USB modem supplied by the
>>>ISP, who knows nothing but just wants to try linux.
>>
>>>Don`t forget not everybody is fortunate enough to have a hardware
>>>modem/router/nat/firewall so cannot be expected to know how to clamp
>>>down linux to be safe.
>>
>>>Is it not better to have a machine that cannot be "got at" and take a
>>>bit of knowledge to let it out?
>>
>>>Or would you prefer all machines open and ready to get everything before
>>>the user knows?
>>
>>
>>>Linux may not be as immune to exploits as we believe that is why they
>>>are clamped down.
>>
>> You are quite right while being wrong. If your linux machine
>> does not work correctly because of the firewall, you are better
>> off without it.
>Thing is, the linux machine is working correctly. It defaults to secure
>settings, forcing the admin to explicitly allow (possibly malicious)
>things to happen. And let's face it, even if you just want to be a user,
>when you install a modern multipurpose OS like Linux or that other one,
>you are an admin, whether you like it or not. Especially so if you provide
>services on a network like the OP does.
Sure. It is true of Windows as well, but folks mainly
ignore it. I'm not for Windowizing Linux, but I think
that many folks need more guidance than is easily available.
For 9.2, the two guides are fairly good, but a number of
issues, including much security stuff, is not well covered.
>> Put another way, of what use is a perfectly protected machine
>> that will not do what you want it to do?
>I would rephrase that: Of what use is a perfectly open, but rooted
>machine that will not do what you want it to do?
Neither is any good, which is the problem. Security is inseperable
from operation.
>> The problem is that some updates and fixes "break" the firewall
>> one way or another. Perhaps what is needed is a user interface
>> that not only allows you to turn things on and off, but which
>> actually tells you what *is* turned on and off by looking at
>> the rules.
>Errrm, that's what 'iptables-save', 'iptables -L' and your configuration
>scripts (namely: /etc/sysconfig/SuSEfirewall2) will tell you.
Yes, they will tell me that. But they won't tell a newbie
that. He has no notion that they are there or that they
can tell him anything. And there is nothing that tells him
that these can ge important.
Don't you see that what is obvious for anybody who has been
running linux since version 0.92 is NOT obvious for a newbie
who has just come over from Windows?
>> I do not believe that Yast does this. It simply remembers what
>> you've turned on and off and repeats this information to you,
>> even if a security fix has changed the firewall rules.
>I don't know, I haven't been very impressed with SuSEfirewall2
>either, but the thing is, that networked security is a complex topic for
>the novice and he or she should be aware of these issues when connecting
>to an untrusted network, such as the Internet. Choosing secure defaults
>should be common practice.
Sure. But how is Mr. Newbie going to do that?
No, I'm not blaming SuSE. My point is that we needd a *lot*
more study on this. We need YAST, for example, to show choices
with really decent explanation of what each does.
The statement that one should "turn off unneeded services"
is useless for Mr. Newbie.
>BTW, SuSE does send you mail when you update their firewall IIRC. Now if
>you never look at your local mail...
Please understand that I am not a newbie. Far from it. I
don't know everything, but I know where to look and I know
that eventually I can ask here and get good answers.
What I am doing is looking at SuSE (because that's what I have,
not because it is a bad distro) and trying to figure out what
Mr. Newbie would do if he had to face it.
You can see this in the numerous newbie posts here. And
if you look at the snippy answers that they get.
I would *love* to see linux take over the desktop. To do
that Mr. Newbie has to have a fighting chance.
---- Paul J. Gans
- Next message: Kevin Nathan: "Re: 9.1 -> 9.2? --> ini_install CD, but did not get anywhere!"
- Previous message: ray: "Re: Dual Monitor"
- In reply to: AT: "Re: Blasted Suse Firewall"
- Next in thread: Sven Lossman: "Re: Blasted Suse Firewall"
- Reply: Sven Lossman: "Re: Blasted Suse Firewall"
- Reply: AT: "Re: Blasted Suse Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
