[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Disable IPv6 by default.



On Thu, 2007-09-13 at 18:41 -0400, Chuck Anderson wrote:
> On Fri, Sep 14, 2007 at 12:38:04AM +0200, David Woodhouse wrote:
> > On Thu, 2007-09-13 at 22:12 +0200, Till Maas wrote:
> > > It circumenvents iptables rules. 
> > 
> > IPv6 doesn't 'circumvent' iptables rules any more than IPv4
> > 'circumvents' ip6tables rules.
> > 
> > Besides, http://www.advogato.org/person/dwmw2/diary/164.html
> 
> +1.  Firewalls just break connectivity and are a handicap that enables 
> people to be lazy about system security.  And don't get me started on 
> NAT :-)

-1. Firewalls are a mandatory access control system like SELinux. Their
purpose is to prevent (certain kinds of) connectivity outside of the
services they are shielding. You can easily log blocked connection
attempts.

Following your argument, one could say that "SELinux just breaks
functionality and is a handicap that enables developers to be lazy about
system security". Which it isn't. Both are additional lines of defense.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp redhat com
"Those who would give up Essential Liberty to purchase a little Temporary
 Safety, deserve neither Liberty nor Safety."  --  B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]