[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: What I HATE about F11



On Sun, 14.06.09 14:01, Bruno Wolff III (bruno wolff to) wrote:

> 
> On Sun, Jun 14, 2009 at 20:08:31 +0200,
>   Lennart Poettering <mzerqung 0pointer de> wrote:
> > 
> > enabled by default, like we currently do. If an application cannot be
> > trusted then it should not be allowed to listen on a port by default
> > in the first place. A firewall is an extra layer of security that
> > simply hides the actual problem.
> 
> The point of the firewall is to block connections to services that are
> only supposed to be connected from trusted locations. This may be things
> you are testing, don't intend to be running, don't bind to 127.0.0.1 instead
> of 0.0.0.0, even though they are intended to be accessed from the local
> machine, or services that you only want to accept connections from a white
> list of IP addresses.

Aha!

The currently existing firewall knows ntohing about "trusted
locations". Which is precisely what makes it so pointless.

Also, if an application listens on 0.0.0.0 but should actually be
listening on 127.0.0.1 then this is a bug, which is simply taped over
by running a firewall. This really needs to be fixed in the
application.

I mean, maybe it is just me, but I actually think that bugs should be
fixed where they are, and not by taping over them.

Everything what you wrote above simply proves my points...

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]