From: Michael Shigorin <mike@osdn.org.ua> To: devel@altlinux.ru Subject: [devel] Fwd: [school-discuss] Firewalls, services, and packages (was: Re: Ubuntu - Linux for Human Beings) Date: Mon, 2 May 2005 19:06:54 +0300 Message-ID: <20050502160654.GR16489@osdn.org.ua> (raw) [-- Attachment #1: Type: text/plain, Size: 2999 bytes --] ...вдогонку (хотя сам вопрос явно не подлежит "просто автоматизации" любого решения) ----- Forwarded message from "Karsten M. Self" <kmself ix.netcom.com> ----- Date: Thu, 28 Apr 2005 16:39:37 -0700 From: "Karsten M. Self" <kmself ix.netcom.com> To: schoolforge-discuss schoolforge.net Subject: [school-discuss] Firewalls, services, and packages (was: Re: Ubuntu - Linux for Human Beings) on Thu, Apr 28, 2005 at 02:07:32PM -0700, Karsten M. Self (kmself ix.netcom.com) wrote: > on Wed, Apr 27, 2005 at 09:53:59AM -0300, Stephen Downes (stephen downes.ca) wrote: > > Yishay Mor wrote: > - Clean network profile. As noted above, you'll have to install any > services you want to run, SSH among them. One consequence is that > there is no firewall configured or installed by default, > rationalized by the lack of listening services. Re-reading this, I realized that this is a good place to mention a suggestion of Don Marti's (Linux Journal's editor): autoconfigured firewalls based on installed and/or running services. Don laid out the basic scheme in a linux-elitists post: http://zgp.org/pipermail/linux-elitists/2005-April/011145.html [linux-elitists] Integrating the firewall and the package manager? Don Marti dmarti at zgp.org Tue Apr 12 11:28:06 PDT 2005 Problem: malware can spread without getting root. Solution: Solution? What is this, a banner for a tradeshow booth? There are no "solutions", just extra hops on the attack path. I think it's possible to combine the problem of setting up local firewall rules with the easier problem of using the package manager correctly. Basically, the system boots up with all tables default DROP. Then, when any daemon starts, its init script is responsible for setting up any rules necessary for it to do its job. If you start a local-only daemon, the script should be smart enough to parse the daemon's config file and only allow traffic that the daemon will. If you set up an MTA with a smarthost, the script should be smart enough to allow outgoing port 25 only to the smarthost. This would be a great value-add for distros, and something a policy-based, APT-managed distro could do quite readily. There's discussion of some of the obvious implications / concerns in the list followup, but I think the basic idea is really sound. Peace. -- Karsten M. Self <kmself ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? The black hat community is drooling over the possibility of a secure execution environment that would allow applications to run in a secure area which cannot be attached to via debuggers. - Jason Spence, on Palladium aka NGCSB aka "Trusted Computing" ----- End forwarded message ----- -- ---- WBR, Michael Shigorin <mike@altlinux.ru> ------ Linux.Kiev http://www.linux.kiev.ua/ [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
reply other threads:[~2005-05-02 16:06 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20050502160654.GR16489@osdn.org.ua \ --to=mike@osdn.org.ua \ --cc=devel@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Team development discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \ devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru public-inbox-index devel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git