:: Re: [DNG] Recommended location for …
Forside
Slet denne besked
Besvar denne besked
Skribent: KatolaZ
Dato:  
Til: dng
Emne: Re: [DNG] Recommended location for iptables rules
On Tue, Dec 06, 2016 at 12:07:25PM +1300, Daniel Reurich wrote:

[cut]

>
> I'm probably getting a little of topic here, but IMHO, MS Windows needs
> a firewall because it has so many leaky hidden services running on the
> host that should never be exposed to even local networks that make it
> extremely vulnerable, so it essentially needs a to be enclosed in a
> farraday cage with a few pinholes for the necessary inbound services.
>
> Generally a well setup Linux system has no network connectable services
> running that aren't intended to be, in which case it's relatively
> resistant to hacking attempts. This means firewall in a well secured
> network is generally not necessary or desirable. The only instance I'd
> consider a workstation firewall is a laptop connecting to untrusted
> networks regularly.
>


Hi Dan,

I partially agree with your analysis, but you know better than me that
in many non-desktop environments (which are actually the large
majority of the use cases for Linux) iptables does much more than
filtering ports. I agree that if it was just for "firewalling" in the
Windows acception, then iptables would have been pretty useless in a
unix environment, but indeed iptables is the most high-level(!) packet
manager available to a sysadmin.

As a consequence, it might (but it also might not) be sensible for a
distribution to propose a default location for the *state* *files*
related to iptables (they are not configuration files, as I tried to
explain before). /var/lib/iptables respects the rule of least
surprise: since all the state files of daemons/services/utilities in
Debian-like systems are in /var/lib/*/, it would be sensible to keep
iptables' state files there as well.

My2Cents

KatolaZ


-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]