What I HATE about F11
Lennart Poettering
mzerqung at 0pointer.de
Sun Jun 14 19:10:38 UTC 2009
On Sun, 14.06.09 14:01, Bruno Wolff III (bruno at wolff.to) wrote:
>
> On Sun, Jun 14, 2009 at 20:08:31 +0200,
> Lennart Poettering <mzerqung at 0pointer.de> wrote:
> >
> > enabled by default, like we currently do. If an application cannot be
> > trusted then it should not be allowed to listen on a port by default
> > in the first place. A firewall is an extra layer of security that
> > simply hides the actual problem.
>
> The point of the firewall is to block connections to services that are
> only supposed to be connected from trusted locations. This may be things
> you are testing, don't intend to be running, don't bind to 127.0.0.1 instead
> of 0.0.0.0, even though they are intended to be accessed from the local
> machine, or services that you only want to accept connections from a white
> list of IP addresses.
Aha!
The currently existing firewall knows ntohing about "trusted
locations". Which is precisely what makes it so pointless.
Also, if an application listens on 0.0.0.0 but should actually be
listening on 127.0.0.1 then this is a bug, which is simply taped over
by running a firewall. This really needs to be fixed in the
application.
I mean, maybe it is just me, but I actually think that bugs should be
fixed where they are, and not by taping over them.
Everything what you wrote above simply proves my points...
Lennart
--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
More information about the fedora-devel-list
mailing list