On Wednesday, August 03, 2011 02:15:05 AM Johannes Meixner wrote:
Hello,
On Aug 2 08:30 Rajko M. wrote (excerpt):
I vote of selective opening of ports, just as needed.
Repeating the plain statement again and again does not help.
Not that I understand how above relates to my post :) The fact is that about security policy we can only vote. Some users want bunker, some open street, majority something in between. I don't see how we can reconcile all opinions without voting about features that we want and we don't.
I really wish someone would describe where there is security when opening ports "as needed" in a firewall.
We already open ports when browsing the web, so few more for printing, or Samba shares, will not make big difference in security, but it will have huge impact on usability and marketability of openSUSE. Besides, construction firewalls (elements that prevent fast spreading of a fire) have doors that are closed when something activates fire alarm. So far I know we don't have such mechanism in place when something unexpected happens, like when some IP start port scan, or uses brute force to crack in the system. There are applications that do that, but that is not openSUSE default.
Of course there are particular cases where opening a particular port makes sense but in general opening ports make the firewall useless.
That tells exactly what initial Vincent's mail tells. :) No one wants that anything can tell firewall to open the gate, but certain application should be able to do that after user is asked and transaction is authorized. Of course question like: "Do you want to open port 80?" is completely useless. How many know what that 80 is used for; which will lead to random yes and no answers and complains that browser is not working. Not everyone has time to dive in documentation about networking and network security. Question has to be in terms that everybody can understand, like: "Do you want to allow Firefox to access Internet." which will: 1) increase number of correct answers and as consequence 2) increase user satisfaction (marketing bonus) 3) improve security (firewall is actually used, and you know who is using it) 4) minimize impact on support services Also, it will prevent alternative reactions to inability to solve problems where only culprit is firewall, like abandoning openSUSE and/or Linux. Judging by personal recollection on often asked questions in support channels, and some statistics about numbers of active vs. passive computer users, we lose hundreds of users weekly, only on this issue.
Kind Regards Johannes Meixner
-- Regards, Rajko -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org