mobility and firewall

Scott Robinson scott_ubuntu at
Mon Jun 6 19:20:18 CDT 2005

On Tue, Jun 07, 2005 at 01:18:48AM +0200, Ivan Krstic wrote:
> I would kindly ask that further cries for a firewall be accompanied by a
> *specific* ruleset (pseudocode is fine) and a specific explanation of
> how such a ruleset will defend a user. Bonus points for a complete
> threat model (I might write one up later tonight).

There seems to be a disconnect. A firewall can't protect a system
against exploits for software that needs to be exposed anyway. The
current Ubuntu configuration specifies that there aren't any servers
by-default - so any open ports are the result of either a user or an
administrator specifically requesting it. So we're left with that
dichotomy: user and administrator. 

So why not run with that? Interactive and non-interactive programs?
Specifically, if a user wants the "control" of a software firewall it
seems it's because they don't trust the interactive software they're

That isn't necessarily a bad thing.

But, iptables rules and conventional Linux firewalls don't handle that
issue. Firewalls in the vein of ZoneAlarm begin to address that issue.

I'll finish this rambling with a link:


--            - Personal webpage
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url :

More information about the ubuntu-devel mailing list