Re: make gnome listen on localhost:*

["Brandon S. Allbery KF8NH" <allbery ece cmu edu>]

On 06/14/00 20:16:20 -0400 Elliot Lee <sopwith@redhat.com> wrote:
+-----
| A proper firewall setup will catch everything, including apps that don't
+--->8

Uh, no.  A firewall is a good safety net for a real security policy; if you 
try to make *it* the security policy, you're almost guaranteed to cause 
more pain than benefit in all but the most trivial cases (those cases being 
precisely those in which e.g. making ORBit use only AF_UNIX sockets 
wouldn't be visible to the user).

Lots of people seem to think "just slap a firewall on it and it'll be 
safe".  But

(a) for any real (i.e. not single-user, outgoing-only) network, *correct* 
firewall configuration isn't simple;
(b) misconfiguration (extremely common; and this includes "expecting the 
firewall to solve all your problems") leads to a false sense of security;
(c) it is in fact *not* possible to secure a network using only firewalls, 
except in the most trivial of cases; and even in those cases, there will be 
visible disruptions to user activity;
(d) application proxies can be used to enable access beyond the firewall, 
but have their own problems and usually complicate access.

In the most common case of a single system with only outgoing connections, 
the best security is to ***disable unnecessary services*** (yes, this means 
ORBit's TCP/IP sockets!  As well as telnet, ftp, etc.)  A firewall might be 
installed, but only as a hedge against e.g. a system update inadvertently 
re-enabling unwanted services.

Please (at minimum) read a book on network security before continuing.

-- 
brandon s. allbery     [os/2][linux][solaris][japh]    allbery@kf8nh.apk.net
system administrator        [WAY too many hats]          allbery@ece.cmu.edu
electrical & computer engineering                                      KF8NH
carnegie mellon university      ["better check the oblivious first" -ke6sls]