Re: Please enable firewalls by default on Linux distributions

From: al_dav (dav@bigfoot.com)
Date: 03/10/03


From: "al_dav" <dav@bigfoot.com>
Date: Mon, 10 Mar 2003 14:42:15 +0100

A seat belt is no use if you are doing 150 mph , having a firewall does not
help if the user is stupid enough.

If the users are leaving all the services open they will probably just
switch off the default firewall anyway because they will just see it as a
problem to maintain.

a user who does not understand or care about security cant be forced to.
most companies have strict control at a higher level so does not concern end
users
home users will learn the hard way :-)

just my 2 Cents worth

Dav..

"Erik Aronesty" <erik@zoneedit.com> wrote in message
news:3939595a.0303080734.6efb22c@posting.google.com...
> That's silly.
>
> You too can join class action contributory negligence lawsuits for fun
> and profit.
>
> Hving default security settings for software is like having seat-belts
> in cars or safetys on guns. It was the cost - not the technology -
> that kept them from being installed until it became a crisis.
>
> Plus, safe guns and cars aren't as cool as unsafe ones.
>
> I can't imagine that that's the case for Linux.
>
> Most of Linux comes with dozens of resource-limits turned on. Why?
> To keep the O/S from being too easily compromised.
>
> An unskilled user can't exceed the max-filehandles, or whatever, and
> cause the O/S to crash. A skilled user can increase these limits and
> "push" his machines performance-edge, etc.
>
> Only the network comes with "allow everying" as the default
> distribution.
>
> I imagine it was left out, not because it's a good idea to leave it
> out, but just because no one thought if it.
>
> John SMith <Jsmith@hotlink.com> wrote in message
news:<3E694DBB.1040601@hotlink.com>...
> > Get real.
> >
> > It will likely not happen, also do not assume every install of a piece
> > of technology is on the internet to get DOS attacks.
> >
> > Most non-windows O/S take the approach of making the system modular
> > enough to unload or load whatever you need - just look at Linux
> > /etc/rc.d, Cisco's show config, or Netware's autoexec.ncf.
> >
> > Any one configuring anything exposed to untrusted networks needs to RTFM
> > and know what is going on under the hood. If not, DOS attacks will be
> > the least of thier worries.
> >
> > Erik Aronesty wrote:
> > > DDOS attacks are on the rise.
> > >
> > > Most distributions of Linux ship with powerful firewalls that are
> > > completely turned off when you install them, allowing the systems to
> > > be easily used as staging areas for DDOS attacks.
> > >
> > > Nearly every other piece of network software in the world has "default
> > > settings" that contain restrictions on usage, except our most
> > > important ones. For example: email servers come with rate filtering
> > > defaults and are closed to relaying by default.
> > >
> > > Router vendors should be selling products that are "default
> > > restrictive", unless you are an advanced user who knows how to unlock
> > > more powerful features - not the other way around.
> > >
> > > Rather than begging 200 million clueless users to reconfigure their
> > > OS'es and routers after installing them, we should simply call
> > > attention to the security vulnerabilities inherent in the default
> > > settings of the software.
> > >
> > > Filters that are within the capabilities of the O/S and are reasonable
> > > defaults for a majority of the users should be enabled by default.
> > >
> > > At some point, failure to do this could even be seen as negligent on
> > > the part of the vendors.
> > >
> > > At the very least, egress filtering, syn flood prevention, basic port
> > > filters should be enabled by default.
> > >
> > > Any thoughts on how to get the consumer router vendors to do this?



Relevant Pages

  • Re: Linux or BSD alternative to Windows Home Server
    ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ...
    (comp.os.linux.misc)
  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... as opposed to in Windows. ... this is not a software firewall as in Windows. ... firewalling code in GNU/Linux is actually part of the Linux kernel ... Kubuntu, Xubuntu et al, the first user account created at installation ...
    (comp.os.linux.setup)
  • Re: OT - Desktop Linux
    ... I've got both windows and linux boxes. ... But are there any desktop operating systems out there which enjoy a dis- ... software firewall, have a good and up to date ...
    (alt.sports.basketball.nba.la-lakers)
  • Re: [opensuse] installing openSUSE on an older pc
    ... it seems Linux in general is going the way of M$, when you come to linux forums ... I picked them up as junk-ware from the Salvation Army thrift store for less than a meal for the family at McD's would cost. ... WYSISYG, and a large, capable desktop manager is going to need more memory. ... My firewall, mail-hub, file-server: all headless. ...
    (SuSE)
  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... For example, there are some differences in the way distributions handle updates, configuration, root access, etc. - bbgruff is probably used to other distributions and was a little inaccurate about the way sudo is used in Ubuntu and Mint. ... It's probably easier for you to understand if I translate things roughly into windows terms. ... They are not entirely equivalent - MS didn't get things quite right when they copied user access from Linux for use in NT, or when they copied sudo as "user account control" in Vista. ... I don't normally configure a firewall on desktop or laptop Linux machines, and only do so on servers if they are internet-accessible. ...
    (comp.os.linux.setup)