On Thu, August 16, 2007 16:56, Russ Allbery wrote: > "R. W. Rodolico" <[EMAIL PROTECTED]> writes: > > >> For workstations, I tend to use Kubuntu. On that, yes, I want a >> firewall, and since I recommend it to anyone who asks (and even have my >> sales staff using it), a default firewall is a Good Thing. > > The part that concerns me about installing a firewall by default is that > people seem to put irrational trust in a firewall and use it as an excuse > to not address other security issues. The *best* thing to do is to > design secure services that either don't randomly listen to the network or > that deal with network traffic in a secure fashion, and I'd really like to > maintain Debian's emphasis there. Installing a firewall, which often > does little or nothing, strikes me as cargo cult security, and cargo cult > security can be worse than useless. > > A well-designed and reviewed set of iptables rules provides additional > defense in depth and we do deploy iptables on all of our servers and manage > those rules as part of their Puppet model, but it's not something that you > can tell an average user to just apt-get install and have work in a way > that offers any real security, IMO.
At this point, I disagree. Unfortunately, I have to point to some of the user oriented firewalls you get for windoze (which, to my knowledge, Linux does not have). When they are installed, the shut down basically everything incoming, and all but a few standard outgoing ports (http, smtp, pop and imap). When an application tries to go out of another port, a pop-up informs the user and they can choose to accept, accept or reject, with a "forever" modifier on both, and the firewall changes its rules appropriately. For un-informed users, this is a good thing. It is by no means perfect, but it is just one more level between the un-informed user and the big bad world that is the 'net. But, even without the interaction of some of the Windows firewalls, just installing one of the firewall builders available on the workstation distro's at least gives them some protection. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- R. W. "Rod" Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 This is a private e-mail address for use only by clients of Daily Data. Please do not forward or give out this e-mail address to anyone. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
