Graham Lyon a écrit : > I'll agree that if your system doesn't have ports open by default then > you're fine, but if for instance your package manager pulls in mysql or > postfix or similar as a dependency for some package that doesn't really need > it to use its network capabilities
Such a situation would be a default misconfiguration problem, and a very bad one since it directly affects security. I assume no package manager installs and starts MySQL behind the user's back, at least not listening to the outside world with the default password! > then having the ability to turn on a firewall in public wifi > networks for instance that blocks all traffic to those services > would be a bonus, in my opinion. IMHO firewalling is a complicated and error-prone workaround, not the real fix to the misconfiguration problem above. Which Windows end user understands anything to its firewall configuration? > Why should I have to edit the httpd config? Just because it is simpler and less error-prone than configuring a firewall. It is simpler and safer to close the security hole you created in the first place rather than from somewhere else. For instance without a firewall you can list all your security holes with just a simple "netstat -l"; no added confusion. If you need run an insecure apache instance on a regular basis, then I think you should always watch it very closely, not from the distance of a firewall. > Also, that was a single use case - I can think of many more. ... but thank God they do not affect the average end user. > A firewall isn't only about prevention access to network listening > daemons, it's about granularity in that restriction :) Sure. But please leave this complex granularity only to the network administrators who actually need it. The average end user has only a few network listening daemons, most of them bound to the loopback address, while the tiny rest is shut down when he is connects outside of home. Out of these two questions which is the more intuitive: You are about to connect to an untrusted network, do you want to: - disable file sharing? - reconfigure your firewall? Cheers, Marc _______________________________________________ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
