Re: Please enable firewalls by default on Linux distributions

From: Erik Aronesty (
Date: 03/08/03

  • Next message: Alan J. Wylie: "Re: iptables - unclean?"
    From: (Erik Aronesty)
    Date: 8 Mar 2003 07:34:53 -0800

    That's silly.

    You too can join class action contributory negligence lawsuits for fun
    and profit.

    Hving default security settings for software is like having seat-belts
    in cars or safetys on guns. It was the cost - not the technology -
    that kept them from being installed until it became a crisis.

    Plus, safe guns and cars aren't as cool as unsafe ones.

    I can't imagine that that's the case for Linux.

    Most of Linux comes with dozens of resource-limits turned on. Why?
    To keep the O/S from being too easily compromised.

    An unskilled user can't exceed the max-filehandles, or whatever, and
    cause the O/S to crash. A skilled user can increase these limits and
    "push" his machines performance-edge, etc.

    Only the network comes with "allow everying" as the default

    I imagine it was left out, not because it's a good idea to leave it
    out, but just because no one thought if it.

    John SMith <> wrote in message news:<>...
    > Get real.
    > It will likely not happen, also do not assume every install of a piece
    > of technology is on the internet to get DOS attacks.
    > Most non-windows O/S take the approach of making the system modular
    > enough to unload or load whatever you need - just look at Linux
    > /etc/rc.d, Cisco's show config, or Netware's autoexec.ncf.
    > Any one configuring anything exposed to untrusted networks needs to RTFM
    > and know what is going on under the hood. If not, DOS attacks will be
    > the least of thier worries.
    > Erik Aronesty wrote:
    > > DDOS attacks are on the rise.
    > >
    > > Most distributions of Linux ship with powerful firewalls that are
    > > completely turned off when you install them, allowing the systems to
    > > be easily used as staging areas for DDOS attacks.
    > >
    > > Nearly every other piece of network software in the world has "default
    > > settings" that contain restrictions on usage, except our most
    > > important ones. For example: email servers come with rate filtering
    > > defaults and are closed to relaying by default.
    > >
    > > Router vendors should be selling products that are "default
    > > restrictive", unless you are an advanced user who knows how to unlock
    > > more powerful features - not the other way around.
    > >
    > > Rather than begging 200 million clueless users to reconfigure their
    > > OS'es and routers after installing them, we should simply call
    > > attention to the security vulnerabilities inherent in the default
    > > settings of the software.
    > >
    > > Filters that are within the capabilities of the O/S and are reasonable
    > > defaults for a majority of the users should be enabled by default.
    > >
    > > At some point, failure to do this could even be seen as negligent on
    > > the part of the vendors.
    > >
    > > At the very least, egress filtering, syn flood prevention, basic port
    > > filters should be enabled by default.
    > >
    > > Any thoughts on how to get the consumer router vendors to do this?

  • Next message: Alan J. Wylie: "Re: iptables - unclean?"

    Relevant Pages

    • >>>> INSTALL LINUX <<<<
      ... Linux Http Install Syntax ... Install Linux On Usb In Windows ...
    • [opensuse] Re: Suse 10.3 install - oh dear (rant only)
      ... when I share an opinion, I make an effort to do so in an unemotional way. ... Linux, and oftentimes suggest it to people who are willing to try ... is important to take into consideration not only the feedback that comes ... likely able to install the product on their own, ...
    • Re: OpenQM vs. Everything Else
      ... people who "support" Linux really only install stock distros. ... Debian is simply not drama queen. ... Linux or that of people like Martin, Doug, or other "engineer" types ... U2, RedHat and SuSE: ...
    • Re: long time Linux user considering switching to OS-X
      ... > - Linux box. ... as well integrated with the MacOSX GUI (cut and paste is a bit ... than the typical Mac user. ... install gawk. ...
    • Re: fedora-list Digest, Vol 54, Issue 170
      ... I've never tried to install it with a disk ... Fedora 9 asking for disc 1 on dvd install ... Re: Linux Outlaws (Armin) ... Fedora 9 asking for disc 1 on dvd install ...