[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Access to K12LTSP remotely

Brian Fahrlander <kilroy kamakiriad com> wrote:

Well, there's conversely no law that says you need to have a
firewall 'facing the open sea', but would you set up a customer without

Perzackly, Brian. If I went around yelling "You MUST have a firewall!" they
would point to the box in the rack and say "durrrrrr". There's no need to
overstate the obvious. But then, by the time people hire an infosec
consultant, they're usually aware of the need for security. <g>

Do yeah REALLY need to expose the Xserver to the public?

I've never needed to expose X through the firewall, even for administration
purposes (despite Red Hat's insistence on putting more and more GUI admin
apps into what is, for most people, a server OS that often runs headless).
As you say, most of the time, there's an HTTP - or better, HTTPS - way of
getting around the problem. Personally, I swear by Webmin with Net::SSLeay
for those remote admin situations. And the general rule for firewalls is to
block all UDP traffic except for DNS - that way, you block NFS, X and a
bunch of other worrisome RPC-based stuff.


--- Les Bell, RHCE, CISSP

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]