Network Servers (where is my workgroup?)
Matthew Miller
mattdm at mattdm.org
Wed Oct 20 18:26:04 UTC 2004
On Wed, Oct 20, 2004 at 08:17:51PM +0200, Patrick wrote:
> >https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=113918
> Yes, it was the firewall issue. I opened smb ports and it worked fine,
> but isn't that less secure?
Marginally. The firewall is based on a packet filter -- if an incoming
packet doesn't seem to have any business on the machine, the kernel drops it
before it gets anywhere. That's a pretty good first defense. But if you
don't have any services running on network accessible ports, those packets
aren't going to have anywhere to go either. And even if you are running
services (which you might punch through the firewall anyway), you should
have other access control mechanisms (/etc/hosts.allow and /etc/hosts.deny,
for example) in place too.
The problem is that it's not trivial to make a rule which allows the needed
SMB traffic without basically making the whole firewall irrelevant. It
requires tracking state, which the current system-config-securitylevel
doesn't attempt. (disclaimer: haven't looked extensively at the FC3 one, but
I assume it hasn't changed based on the comments of others)
The bugzilla entry above links to what will probably be the long-term
solution to this -- a smarter firewall. You could implement that sort of
thing yourself, but personally, I'd make sure my other system security was
in good shape, and not worry about it for now.
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-test-list
mailing list