Mailinglist Archive: opensuse-factory (808 mails)
| < Previous | Next > |
Re: [opensuse-factory] Integration of firewalld?
- From: Johannes Meixner <jsmeix@xxxxxxx>
- Date: Wed, 3 Aug 2011 14:03:00 +0200 (CEST)
- Message-id: <alpine.LNX.2.00.1108031341230.27811@nelson.suse.de>
Hello,
On Aug 3 11:19 Rob Davies wrote (excerpt):
On 3 August 2011 08:31, Johannes Meixner <jsmeix@xxxxxxx> wrote:...
If you use services in your internal network, you cannot protect
them with firewalls inside your internal network.
You can only protect your whole trusted network with a firewall
at the borderline of your trusted network.
If the protection at the borderline fails you are basically doomed.
Actually I arranged to explicitly enable host IP addresses requiring
access, detecting "unauthorised" accesses.
Furthermore I took advantage of the subnetting.
You can for instance arrange for a peer's DNS or NTP server UDP
packets to pass, but generally block UDP on that interface as
illegitimate.
I wonder why you seem to use firewalls inside your internal network
to do this (i.e. with firewalls running on each host in the internal
network)?
Why don't you do this with a firewall at the borderline of your
internal network (i.e. with a dedicated firewall machine that
protects your whole internal network)?
If a malicious user is inside your internal network
neither explicit IP address requirements nor subnetting
nor blocking what goes into your internal network helps.
Therefore I still think that if the protection at the borderline
fails you are basically doomed.
As far as I understand what we are talking about, the issue is
about opening ports for services which are used in a trusted network
on firewalls which run on hosts in the trusted network.
We do not talk about if it makes sense to have a firewall
at the borderline of the trusted network.
But - as far as I understand it - we talk about if it makes sense
to have a firewall running on hosts in a trusted network.
Furthermore it seems we talk about what is meant with "trusted".
From my point of view "trusted" means:http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
------------------------------------------------------------------
A trusted network means that you trust all users who can access
this network.
------------------------------------------------------------------
If something else is meant with "trusted", (e.g. a network where
childs install arbitrary software or where arbitrary guests can
connect their personal computers or a university network where
arbitrary students try to find out who is "the greatest hacker")
then such a network is not a trusted network from my point of view.
Kind Regards
Johannes Meixner
--
SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany
HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |