Re: Why not have firewall rules by default?

On Wed, Jan 23, 2008 at 09:19:01AM -0600, William Twomey wrote:
> One solution could be to have a folder called /etc/security/iptables
> that contains files that get passed to iptables at startup (in the same
> way /etc/rc2.d gets read in numeric order). So you could have files like
> 22ssh, 23ftp, etc. with iptable rules in each file.

This is IMHO nonsence. Why to firewall ports where nothing listens? This would not give you anything.

> You could also have
> an 'ENABLED' variable like some files in /etc/default have (so that
> ports wouldn't be opened by default; the user would have to manually
> enable them for the port to be opened).

Better way is just not start that daemon.

-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org, jabber: santiago@njs.netlab.cz)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org