From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 2 May 2005 19:06:54 +0300 From: Michael Shigorin To: devel@altlinux.ru Message-ID: <20050502160654.GR16489@osdn.org.ua> Mail-Followup-To: devel@altlinux.ru Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VuQYccsttdhdIfIP" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: [devel] Fwd: [school-discuss] Firewalls, services, and packages (was: Re: Ubuntu - Linux for Human Beings) X-BeenThere: devel@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ALT Devel discussion list List-Id: ALT Devel discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2005 16:06:56 -0000 Archived-At: List-Archive: List-Post: --VuQYccsttdhdIfIP Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =2E..=D7=C4=CF=C7=CF=CE=CB=D5 (=C8=CF=D4=D1 =D3=C1=CD =D7=CF=D0=D2=CF=D3 = =D1=D7=CE=CF =CE=C5 =D0=CF=C4=CC=C5=D6=C9=D4 "=D0=D2=CF=D3=D4=CF =C1=D7=D4=CF=CD=C1=D4=C9=DA=C1=C3=C9=C9" =CC=C0=C2=CF=C7=CF =D2=C5=DB=C5=CE= =C9=D1) ----- Forwarded message from "Karsten M. Self" ----- Date: Thu, 28 Apr 2005 16:39:37 -0700 From: "Karsten M. Self" To: schoolforge-discuss schoolforge.net Subject: [school-discuss] Firewalls, services, and packages (was: Re: Ubunt= u - Linux for Human Beings) on Thu, Apr 28, 2005 at 02:07:32PM -0700, Karsten M. Self (kmself ix.netcom= .com) wrote: > on Wed, Apr 27, 2005 at 09:53:59AM -0300, Stephen Downes (stephen downes.= ca) wrote: > > Yishay Mor wrote: > - Clean network profile. As noted above, you'll have to install any > services you want to run, SSH among them. One consequence is that > there is no firewall configured or installed by default, > rationalized by the lack of listening services. Re-reading this, I realized that this is a good place to mention a suggestion of Don Marti's (Linux Journal's editor): autoconfigured firewalls based on installed and/or running services. Don laid out the basic scheme in a linux-elitists post: http://zgp.org/pipermail/linux-elitists/2005-April/011145.html [linux-elitists] Integrating the firewall and the package manager? Don Marti dmarti at zgp.org Tue Apr 12 11:28:06 PDT 2005 Problem: malware can spread without getting root. Solution: Solution? What is this, a banner for a tradeshow booth? There are no "solutions", just extra hops on the attack path. I think it's possible to combine the problem of setting up local firewall rules with the easier problem of using the package manager correctly. Basically, the system boots up with all tables default DROP. Then, when any daemon starts, its init script is responsible for setting up any rules necessary for it to do its job. If you start a local-only daemon, the script should be smart enough to parse the daemon's config file and only allow traffic that the daemon will. If you set up an MTA with a smarthost, the script should be smart enough to allow outgoing port 25 only to the smarthost.=20 This would be a great value-add for distros, and something a policy-based, APT-managed distro could do quite readily. There's discussion of some of the obvious implications / concerns in the list followup, but I think the basic idea is really sound. Peace. --=20 Karsten M. Self http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? The black hat community is drooling over the possibility of a secure execution environment that would allow applications to run in a secure area which cannot be attached to via debuggers. - Jason Spence, on Palladium aka NGCSB aka "Trusted Computing" ----- End forwarded message ----- --=20 ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/ --VuQYccsttdhdIfIP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCdlAebsPDprYMm3IRAoofAKDbIkjSZybger6ww3Wgpbuq2BsnHwCaA6Dm AewPeongbH3wgiZR1UuMp6A= =ETFh -----END PGP SIGNATURE----- --VuQYccsttdhdIfIP--