Re: Please enable firewalls by default on Linux distributions
From: al_dav (firstname.lastname@example.org)
From: "al_dav" <email@example.com> Date: Mon, 10 Mar 2003 14:42:15 +0100
A seat belt is no use if you are doing 150 mph , having a firewall does not
help if the user is stupid enough.
If the users are leaving all the services open they will probably just
switch off the default firewall anyway because they will just see it as a
problem to maintain.
a user who does not understand or care about security cant be forced to.
most companies have strict control at a higher level so does not concern end
home users will learn the hard way :-)
just my 2 Cents worth
"Erik Aronesty" <firstname.lastname@example.org> wrote in message
> That's silly.
> You too can join class action contributory negligence lawsuits for fun
> and profit.
> Hving default security settings for software is like having seat-belts
> in cars or safetys on guns. It was the cost - not the technology -
> that kept them from being installed until it became a crisis.
> Plus, safe guns and cars aren't as cool as unsafe ones.
> I can't imagine that that's the case for Linux.
> Most of Linux comes with dozens of resource-limits turned on. Why?
> To keep the O/S from being too easily compromised.
> An unskilled user can't exceed the max-filehandles, or whatever, and
> cause the O/S to crash. A skilled user can increase these limits and
> "push" his machines performance-edge, etc.
> Only the network comes with "allow everying" as the default
> I imagine it was left out, not because it's a good idea to leave it
> out, but just because no one thought if it.
> John SMith <Jsmith@hotlink.com> wrote in message
> > Get real.
> > It will likely not happen, also do not assume every install of a piece
> > of technology is on the internet to get DOS attacks.
> > Most non-windows O/S take the approach of making the system modular
> > enough to unload or load whatever you need - just look at Linux
> > /etc/rc.d, Cisco's show config, or Netware's autoexec.ncf.
> > Any one configuring anything exposed to untrusted networks needs to RTFM
> > and know what is going on under the hood. If not, DOS attacks will be
> > the least of thier worries.
> > Erik Aronesty wrote:
> > > DDOS attacks are on the rise.
> > >
> > > Most distributions of Linux ship with powerful firewalls that are
> > > completely turned off when you install them, allowing the systems to
> > > be easily used as staging areas for DDOS attacks.
> > >
> > > Nearly every other piece of network software in the world has "default
> > > settings" that contain restrictions on usage, except our most
> > > important ones. For example: email servers come with rate filtering
> > > defaults and are closed to relaying by default.
> > >
> > > Router vendors should be selling products that are "default
> > > restrictive", unless you are an advanced user who knows how to unlock
> > > more powerful features - not the other way around.
> > >
> > > Rather than begging 200 million clueless users to reconfigure their
> > > OS'es and routers after installing them, we should simply call
> > > attention to the security vulnerabilities inherent in the default
> > > settings of the software.
> > >
> > > Filters that are within the capabilities of the O/S and are reasonable
> > > defaults for a majority of the users should be enabled by default.
> > >
> > > At some point, failure to do this could even be seen as negligent on
> > > the part of the vendors.
> > >
> > > At the very least, egress filtering, syn flood prevention, basic port
> > > filters should be enabled by default.
> > >
> > > Any thoughts on how to get the consumer router vendors to do this?