On Thu, August 16, 2007 17:42, Russ Allbery wrote: > "R. W. Rodolico" <[EMAIL PROTECTED]> writes: > > >> At this point, I disagree. Unfortunately, I have to point to some of >> the user oriented firewalls you get for windoze (which, to my knowledge, >> Linux does not have). When they are installed, the shut down basically >> everything incoming, and all but a few standard outgoing ports (http, >> smtp, pop and imap). When an application tries to go out of another >> port, a pop-up informs the user and they can choose to accept, accept >> or reject, with a "forever" modifier on both, and the firewall changes >> its rules appropriately. > >> For un-informed users, this is a good thing. >> > > Well, I certainly disagree that the pop-up prompts are at all useful or > offer any real security. Time and time again, studies of user interaction > with security software have shown that this sort of security interaction > is essentially useless.
I realize many users just press the "ok" button and go on with it. I have no hope for them, but for the users who might actually understand what is going on. I just think for the "normal" user, this is more realistic than viewing log files. > > The only thing here that offers any real security protection is the > default denial of all incoming traffic. And that just returns to my > previous point, which is that the best and safest way to do that is to > not listen to network traffic in the first place, rather than installing > some daemon that listens to network traffic and then turning it off with a > firewall. It's making the decision in the wrong place, and it's simply > sloppy security thinking. > >> But, even without the interaction of some of the Windows firewalls, >> just installing one of the firewall builders available on the >> workstation distro's at least gives them some protection. > > No, it doesn't. What offers *real* protection is the fact that both > Debian and Ubuntu don't run services that listen to the network on a > default installation. Actually, you and I do agree completely on this. First thing I do on a Debian install is shut down tons of services that Debian installs by default. I understand the reasoning behind it, just don't agree with that reasoning. And, I checked out Kubuntu and was pleased that it did not install these (apparently). Firewalls are for a stupidity shield. I had a situation where I was cracked on one of my servers a few years ago. It was totally my fault; I had a user I had mistakingly set up as an authorized ssh user who shouldn't have been. Their account was cracked, then the cracker got root access and installed a daemon that was ready to attack another server. My firewall gave one yelp, the cracker realized what was going on and told the firewall to shut up, basically. However, I got that one yelp from the firewall, investigated, and fixed the issue. A firewall is not, by any stretch of the imagination, the security for a server. Security for a server is, as you say, not running services that are not necessary. However, a firewall is for people like me, who make mistakes and, in so doing, create a security problem. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- R. W. "Rod" Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 This is a private e-mail address for use only by clients of Daily Data. Please do not forward or give out this e-mail address to anyone. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]