"R. W. Rodolico" <[EMAIL PROTECTED]> writes: > At this point, I disagree. Unfortunately, I have to point to some of the > user oriented firewalls you get for windoze (which, to my knowledge, > Linux does not have). When they are installed, the shut down basically > everything incoming, and all but a few standard outgoing ports (http, > smtp, pop and imap). When an application tries to go out of another > port, a pop-up informs the user and they can choose to accept, accept or > reject, with a "forever" modifier on both, and the firewall changes its > rules appropriately.
> For un-informed users, this is a good thing. Well, I certainly disagree that the pop-up prompts are at all useful or offer any real security. Time and time again, studies of user interaction with security software have shown that this sort of security interaction is essentially useless. The only thing here that offers any real security protection is the default denial of all incoming traffic. And that just returns to my previous point, which is that the best and safest way to do that is to not listen to network traffic in the first place, rather than installing some daemon that listens to network traffic and then turning it off with a firewall. It's making the decision in the wrong place, and it's simply sloppy security thinking. > But, even without the interaction of some of the Windows firewalls, just > installing one of the firewall builders available on the workstation > distro's at least gives them some protection. No, it doesn't. What offers *real* protection is the fact that both Debian and Ubuntu don't run services that listen to the network on a default installation. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]