Re: make gnome listen on localhost:*
- From: Elliot Lee <sopwith redhat com>
- To: Paul Warren <pdw ferret lmh ox ac uk>
- Cc: gnome-list gnome org
- Subject: Re: make gnome listen on localhost:*
- Date: Wed, 14 Jun 2000 20:32:44 -0400 (EDT)
On Thu, 15 Jun 2000, Paul Warren wrote:
> > The reason I hate the suggested type of solution is because it is a hack
> > that only works for a very special set of apps,
>
> You mean apps run locally? That's not a particularly special set for you
> average one-box desktop user.
No, I mean "apps that use ORBit" as a special set.
People are suggesting turning off TCP/IP for apps-that-use-ORBit, and then
they'll submit patches to turn off networking for apps-that-use-foobar,
and then yet another set will come along, and your previous solutions
won't cover that.
A proper solution would be generic enough to handle all these cases, so
things don't slip through the cracks and cause problems. A deny-by-default
firewall will catch *everything* that is not explicitly denied.
> > and will ultimately cause conflicts with valid uses.
> >
> > A proper firewall setup will catch everything,
>
> Where do you propose putting this firewall? On the box running Gnome
> (this is where Joe Average with his one box will have to put it)? If so,
> then what's the point of having the port open in the first place?
The point is how the access control is implemented, and having one
solution that covers a wide variety of security problems is a lot more
effective than a bunch of band-aid solutions.
> > This problem goes beyond ORBit - it is going to come up more and
> more as > the network becomes central to computing. I'm not anxious to
> put in stupid > temporary hacks so people can feel good about avoiding
> a proper solution.
>
> Quite - so we won't be putting in firewalls just because Gnome is not
> secure by default, right?
> Firewalls are not a "proper solution". Firewalls should be an additional
> layer of security, not the only layer.
Firewalls are the _only_ proper solution to control access between the
network and the local machine - they're the only one that can have a hope
of working across the board.
> BTW, if you are suggesting that we should all be running firewalls
> that prohibit listening on high numbered ports
> then you're going to break passive mode FTP
For the desktop user? Your in-depth knowledge of networking continues to
amaze me...
> and possibly other stuff, and the average desktop user will fix this
> by... turning off the firewall.
This is only because the existing firewall setups are primitive and
limited, which are things that a proper solution would fix.
> > Is anyone interesting in coming up with "the proper solution" that sets
> > a safe default config and makes it easy to make changes? I might be
> > interested in helping with such a thing.
>
> You mean an option for the control-center to turn on the network
> functionality for ORBit, right?
I'm thinking more like an option to add you to procmail filtering, at this
point... :)
I just saw your reply to Jim Gettys' post (without seeing the actual post,
argh) and I think he and I are on roughly the same wavelength as to what
the right direction is for a solution, FWIW.
-- Elliot
"Moron of the week" for four years running
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
