Re: The state of firewall management...

[Marc Herbert <Marc Herbert gmail com>]

> Just because a few people tend to disable the firewall doesn't mean
> we shouldn't put it there to start with! ;)

I disagree.

The lame desktop user (NOT wannabe a PHP developer) should never
hear about any firewalling, since he is never running any network
listening daemon, so he does not need any firewalling. Like this, he
can run Skype and Bittorrent without calling support. And still be
safe. Keep simple things simple (unlike Windows).


On the other hand, the wannabe PHP developer should probably be
bothered with both: some service manager should warn him he left his
Apache instance listening to a public place; AND firewalling
become active when going public. Belt and braces.

But neither these belts nor braces should pollute and complexify the
Skype + MSN life of the (swimsuit-wearing) lame desktop user. Please!


> would proceed to change settings appropriately for your location. This way
> you could have on plugin that would perform firewall adjustments, one plugin
> that would disable the services which could be exploited (and restart them
> when we leave the public network?). Perhaps a "plugable" solution like this
> would be most appropriate and would appease all of our use-cases?

Looks great. But totally useless and very confusing for the lame
desktop user.


>> So I guess the problem is: how do you protect a minority of mysql users
>> from an unlikely and easy to fix packaging error, without bothering with
>> a firewall the vast majority of desktop users who do not care?
> 
> My point wasn't related to mysql directly, that was more of an example.

Me too.


>>> Imagine you're a user who's decided
>>> you'd like to start learning php for the first time:

>> So for a start: I am definitely NOT the average desktop user.

> Actually, the number of average desktop users I see trying this (or similar)
> things is large enough to take note of....

If the majority of Linux Desktop are wannabe PHP developers, then it
shows how much Linux has failed to gain desktop market share,
*sigh*...
How about having higher expectations for the Linux Desktop than just
wannabe PHP developers?

 
>> [...]
>> Once I need to test my server remotely, I spent no more than 5 minutes
>> learning how to unlock the loopback safety.  Later I connect to a public
>> network. NetworkManager then runs a dead-simple "netstat -l" command and
>> warns me that I left my apache server running by accident. So I just stop
>> apache. Job's done.
>>
>> And by the way, all this is (almost) already happening today. But not in
>> the Windows world for sure.

> I wasn't aware of this, could you point me towards any discussions on this
> being implemented? I'd be interested to read where this is going.

Sorry I just meant: "this is already how I manage my laptop today".

The only part I miss is the NetworkManager plug-in running the "netstat -l"
command for me.




Cheers,

Marc