mobility and firewall
Carl Karsten
carl at personnelware.com
Fri Jun 3 14:18:22 CDT 2005
For openers, I think a firewall on a local box is more trouble than it is worth.
I think the firewall should be on a router between the box that needs protecting
and what it needs protecting from (normally the Net.)
However, not everyone thinks like me, so let's look at some of the things that are
being asked for.
In looking at http://udu.wiki.ubuntu.com/Firewalls, I think "protect his machine"
is too undefined. If you are going to provide a service to other boxes, you are
giving up some protection.
Another concern not listed: If a his box is compromised and starts attacking other
boxes on the LAN, then "protect his machine" should be changed to "protect his
other nearby machines." - But now we get into the "I can't connect to AIM, etc"
complaint.
Another concern not listed: You have a laptop with NFS, Samba, Cups and even a
telnet server running. My guess is you want these enabled when connected to your
"trusted" lan, but not when connected to the Burger King wifi. This is a good use
for a firewall, but a very simple one - something like "allow connections to
privileged ports: on/off." When the box is in the wild, nothing connects to it.
the 1% of the people that do want select ports open are the same people that can
figure it out on there own; Except for 1% of that group that could use help, but
that is a reasonable casualty.
Dmitriy Kropivnitskiy wrote:
> On Fri, 2005-06-03 at 11:43 +1200, Christoph Georgi wrote:
>
>>Default Policy: DROP
>>Allow only ESTABLISHED and RELATED for incoming traffic
>>Allow outgoing connections only to port http, https, smtp, pop3, ...
>>
> I wouldn't restrict outgoing connections, since that wuold lead to way
> to many dumb-user problems like
> "I cannot use AIM!" "Why cannot I connect to IRC?" etc.
Long shot: could it look at the local apt-get db and configure itself based on
what apps are installed?
I realize a compromised box could take advantage of this, but to me a compromised
box can take advantage of anything, and some sort of auto configuring firewall
might just be a good compromise.
Carl K
More information about the ubuntu-devel
mailing list