mobility and firewall
Scott Robinson
scott_ubuntu at scott.tranzoa.net
Mon Jun 6 19:20:18 CDT 2005
On Tue, Jun 07, 2005 at 01:18:48AM +0200, Ivan Krstic wrote:
[...]
> I would kindly ask that further cries for a firewall be accompanied by a
> *specific* ruleset (pseudocode is fine) and a specific explanation of
> how such a ruleset will defend a user. Bonus points for a complete
> threat model (I might write one up later tonight).
>
[...]
There seems to be a disconnect. A firewall can't protect a system
against exploits for software that needs to be exposed anyway. The
current Ubuntu configuration specifies that there aren't any servers
by-default - so any open ports are the result of either a user or an
administrator specifically requesting it. So we're left with that
dichotomy: user and administrator.
So why not run with that? Interactive and non-interactive programs?
Specifically, if a user wants the "control" of a software firewall it
seems it's because they don't trust the interactive software they're
running.
That isn't necessarily a bad thing.
But, iptables rules and conventional Linux firewalls don't handle that
issue. Firewalls in the vein of ZoneAlarm begin to address that issue.
I'll finish this rambling with a link:
http://0pointer.de/lennart/projects/fieryfilter/
Scott.
--
http://quadhome.com/ - Personal webpage
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050606/7181dd77/attachment.pgp
More information about the ubuntu-devel
mailing list