Re: Please enable firewalls by default on Linux distributions

From: Erik Aronesty (
Date: 03/08/03

  • Next message: Alan J. Wylie: "Re: iptables - unclean?"
    From: (Erik Aronesty)
    Date: 8 Mar 2003 07:34:53 -0800

    That's silly.

    You too can join class action contributory negligence lawsuits for fun
    and profit.

    Hving default security settings for software is like having seat-belts
    in cars or safetys on guns. It was the cost - not the technology -
    that kept them from being installed until it became a crisis.

    Plus, safe guns and cars aren't as cool as unsafe ones.

    I can't imagine that that's the case for Linux.

    Most of Linux comes with dozens of resource-limits turned on. Why?
    To keep the O/S from being too easily compromised.

    An unskilled user can't exceed the max-filehandles, or whatever, and
    cause the O/S to crash. A skilled user can increase these limits and
    "push" his machines performance-edge, etc.

    Only the network comes with "allow everying" as the default

    I imagine it was left out, not because it's a good idea to leave it
    out, but just because no one thought if it.

    John SMith <> wrote in message news:<>...
    > Get real.
    > It will likely not happen, also do not assume every install of a piece
    > of technology is on the internet to get DOS attacks.
    > Most non-windows O/S take the approach of making the system modular
    > enough to unload or load whatever you need - just look at Linux
    > /etc/rc.d, Cisco's show config, or Netware's autoexec.ncf.
    > Any one configuring anything exposed to untrusted networks needs to RTFM
    > and know what is going on under the hood. If not, DOS attacks will be
    > the least of thier worries.
    > Erik Aronesty wrote:
    > > DDOS attacks are on the rise.
    > >
    > > Most distributions of Linux ship with powerful firewalls that are
    > > completely turned off when you install them, allowing the systems to
    > > be easily used as staging areas for DDOS attacks.
    > >
    > > Nearly every other piece of network software in the world has "default
    > > settings" that contain restrictions on usage, except our most
    > > important ones. For example: email servers come with rate filtering
    > > defaults and are closed to relaying by default.
    > >
    > > Router vendors should be selling products that are "default
    > > restrictive", unless you are an advanced user who knows how to unlock
    > > more powerful features - not the other way around.
    > >
    > > Rather than begging 200 million clueless users to reconfigure their
    > > OS'es and routers after installing them, we should simply call
    > > attention to the security vulnerabilities inherent in the default
    > > settings of the software.
    > >
    > > Filters that are within the capabilities of the O/S and are reasonable
    > > defaults for a majority of the users should be enabled by default.
    > >
    > > At some point, failure to do this could even be seen as negligent on
    > > the part of the vendors.
    > >
    > > At the very least, egress filtering, syn flood prevention, basic port
    > > filters should be enabled by default.
    > >
    > > Any thoughts on how to get the consumer router vendors to do this?

  • Next message: Alan J. Wylie: "Re: iptables - unclean?"