Re: Firewall security: Re: Problems with simple Samba file share
From: Tony Lawrence (foo_at_pcunix.com)
Date: 05/08/05
- Next message: jeff: "Re: Firewall security: Re: Problems with simple Samba file share"
- Previous message: jwilli46_at_cpp.net: "Total Failure to Solve (was Email comes to a screeching halt!)"
- In reply to: Alexander Skwar: "Re: Firewall security: Re: Problems with simple Samba file share"
- Next in thread: Peter T. Breuer: "Re: Firewall security: Re: Problems with simple Samba file share"
- Reply: Peter T. Breuer: "Re: Firewall security: Re: Problems with simple Samba file share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 08 May 2005 16:49:47 -0400
Alexander Skwar wrote:
> ยท Tony Lawrence <foo@pcunix.com>:
>
>>Peter T. Breuer wrote:
>>
>>>Tony Lawrence <foo@pcunix.com> wrote:
>
>
>>How is that not appreciating the design?
>
>
> Yep. Also, how comes that the OpenSSH sshd man page lists
> /etc/hosts.allow as possible configuartion options? Is
> the OpenSSH sshd man page against the design of sshd?
>
> Alexander Skwar
I guess they'll have to change it. Peter says it has to be open to
everyone - so that must be a mistake.
Peter does have a point in narrow situations, but he ignores reality.
For example, I probably never want inbound telnet. It's solidly shut
off, so technically Peter is right: adding the two fw's adds nothing to
that. However, I may want local telnet. I'm going to set it only to
accept the local lan, but I can make a mistake. Even if I don't make a
mistake now, something I do later may accidentally open up telnet or
some other currently local only service. Peter may never make mistakes,
but I sure do, especially when I'm rushing..
From another viewpoint, the firewalls are just obvious security policy:
deny everything by default. That's what you are doing by not turning on
services, but the firewalls just extend that to an extra level.
And as we both agree, if you know where your intended users are coming
from, there's no point in allowing anyone else. You could extend that
to geographic locations, and we've done that at some places: if there no
users from Japan or Korea, why allow those ip blocks? If it's your
personal access, why allow any blocks that you won't be traveling to?
That could still let you travel to the internet cafe that Peter
mentioned, but it improves security. Any improvement is of value, in my
opinion.
-- Tony Lawrence Unix/Linux/Mac OS X resources: http://aplawrence.com
- Next message: jeff: "Re: Firewall security: Re: Problems with simple Samba file share"
- Previous message: jwilli46_at_cpp.net: "Total Failure to Solve (was Email comes to a screeching halt!)"
- In reply to: Alexander Skwar: "Re: Firewall security: Re: Problems with simple Samba file share"
- Next in thread: Peter T. Breuer: "Re: Firewall security: Re: Problems with simple Samba file share"
- Reply: Peter T. Breuer: "Re: Firewall security: Re: Problems with simple Samba file share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
