Firewall and user services that needs open ports

Callum Lerwick seg at haxxed.com
Mon Jun 23 06:37:05 UTC 2008


On Sun, Jun 22, 2008 at 3:53 PM, Chuck Anderson <cra at wpi.edu> wrote:

> On Sun, Jun 22, 2008 at 12:06:44PM -0700, Andrew Farris wrote:
> > Izhar Firdaus wrote:
> > There is no service which requires a firewall to be turned off... that
> does
> > not exist.  What they require is configuration to function with the
> > firewall on. Improvement of the firewall configuration tool would
> certainly
> > be a good step forward, and perhaps more automated configuration via
> upnp,
> > but turning it off is definitely the wrong move... no matter what service
> > you're trying to get through it.
>
> Why do we need a firewall when you can easily prevent services from
> being accessed...just stop the service!  Don't bind to the port, and
> it won't be possible to connect to it.


Yes, the correct thing to do for local security is use something like
selinux to prevent things from binding to interfaces/ports they shouldn't be
binding to in the first place. Using iptables for this is a completely
unsustainable hack. iptables firewalling is for machines that route packets
to other machines.

Unfortunately for some reason network devices are exempt from the
"everything is a file" architecture thus don't recieve the benefit of the
pre-existing filesystem access control architecture.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080623/63f9b4fd/attachment.htm>


More information about the fedora-devel-list mailing list