[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [suse-security] Loading firewall script on boot time
I do not want to continue this debate endlessly, but make my final
- as mentioned before, activating the YaST Firewall resulted in unwanted
results. Firstly, it would only accept incoming services request if you
either had them running on the FW Machine or running a DMZ. Neiter was
true in my case.
- second: by implementing forwarding with Firwall (masqueraded or not)
if was always able to break in on those high ports, used for passive FTP
- an third: due to this i was forced to do something else.
My final script will only allow HTTP in both directions and FTP outbound
with Data Connection (RELATED). Nothing more. Nothing less. And yes, i
did probe the ruleset with port scanners.
I do agree, that if you have a standard "world" (i.e. Outside - Bad
World, Inside - LAN and maybe even DMZ) then there's no point in
"reinventing the wheel". But specifications was not standard, at was not
subject to change.
And finaly: i am a Linux newbie allright, but no computer/security
newbie. I never take things for granted, like "oh well, my script runs
fine when i start it manually, and it is named xy_firewall i guess the
system knows that this must be loaded at boot time too. I don't bother
testing after boot time however. Port Scan the system? Why should I? I
know it works. Sign here, and good bye."
Have a nice day
From: Andy Bennett [mailto:andy@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, July 30, 2003 6:55 PM
Subject: Re: AW: [suse-security] Loading firewall script on boot time
Whilst I accept that it is a requirement of a secure system that the
configuring it understands how it works I hope that you're not seriously
suggesting that a greater level of security is achieved by having to
every single aspect of a secure system rather than using some of the
where appropriate, that are readily available?
That isn't true, is it.
How secure would Knut have been if he hadn't realised that his firewal
wasn't loading when his machine started up?
Having said that the exercise has been worthwhile in that he has gained
greater understanding of his system.
The only thing I would add is that he needs to run an external scan of
system to make sure it's as closed as he thinks.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here