On Sun, 14.06.09 14:01, Bruno Wolff III (br...@wolff.to) wrote:

> On Sun, Jun 14, 2009 at 20:08:31 +0200,
>   Lennart Poettering <mzerq...@0pointer.de> wrote:
> > 
> > enabled by default, like we currently do. If an application cannot be
> > trusted then it should not be allowed to listen on a port by default
> > in the first place. A firewall is an extra layer of security that
> > simply hides the actual problem.
> The point of the firewall is to block connections to services that are
> only supposed to be connected from trusted locations. This may be things
> you are testing, don't intend to be running, don't bind to instead
> of, even though they are intended to be accessed from the local
> machine, or services that you only want to accept connections from a white
> list of IP addresses.


The currently existing firewall knows ntohing about "trusted
locations". Which is precisely what makes it so pointless.

Also, if an application listens on but should actually be
listening on then this is a bug, which is simply taped over
by running a firewall. This really needs to be fixed in the

I mean, maybe it is just me, but I actually think that bugs should be
fixed where they are, and not by taping over them.

Everything what you wrote above simply proves my points...


Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4

fedora-devel-list mailing list

Reply via email to