Thank you everyone for your valuable suggestion. I agree that knowing the port number in advance which will be used by a program is very secure.No doubt in it. But Just imagine a situation: --> one person(Not an expert in Linux security) installed linux in his laptop for his personal use --> For security reason he kept all his port closed in internal and external interface.(by default in open suse all ports are closed in external interface) [Yes its a very good security policy] -->Now he wants to listen a song.so he needs to run a player(say kaffaine or VLC or amarok etc)These players also needs some open port.So when ever he tries to run the application request is silently drops. [In this situation do we expect to him to call a *SUPPORT* team and pay them? Isn't it rediculus to call a security support team to listen a music?? ] --->Now he wants to chat/voice chat with some one using a VOIP messenger. but since this program also needs an open port.He cant do voice chat.Even if all ports are open from internal interface no one from out side call him since all ports are closed in external interface.[In this situation do we expect to him to call a *SUPPORT* team and pay them? Isn't it rediculus to call a security support team to chat with some one ?? ]I --> I belive actually to grow in desktop market and to make linux popular and reach everyone we need to think from their point of view not from a Linux server admin point of view.I request all of you to correct me which ever statement i made incorrect.Thanks again to all of you. Thanks Prasun ----- Original Message ---- From: Rajko M. <rmatov101@charter.net> To: opensuse@opensuse.org Sent: Wednesday, May 6, 2009 9:17:55 AM Subject: Re: [opensuse] Interactive Firewall Needed On Tuesday 05 May 2009 09:34:11 pm L. V. Lammert wrote:
On Tue, 5 May 2009, Rajko M. wrote:
On Tuesday 05 May 2009 05:24:05 pm Carlos E. R. wrote:
The request for someone to learn firewall internals in order to open ports is the same as to ask car owner to know how to tune cars in order to use them. Some will do that, but majority see car as a way to go from point A to point B, not a bit more.
Sorry, you have missed the support equation entirely! A *USER* should never be asked to open a port, as that request might have come from some malicious program!
It seems that you never used personal firewall in that other OS, at least not paid for version. User is asked would he let application [name] to access Internet, with offer to give more details if user wants. So, if you see some application attempting to access Internet, and you are not sure, you click link to more information and read what firewall creators have to say. Can you imagine better option for user that is not specialist for computers? You can argue that Windows users are used to OK everything, but such user will ask how to disable firewall, and knowing helpful Linux guys, he will get information, or he will not ask anything and trash Linux.
If they KNOW it is a valid request, it's only three or four mouse clicks to turn on that port - no internal knowledge needed.
How would they know? Today even kwrite is networked, and second, how you as new to Linux should know which application is benevolent and which not. Which port? Applications try to access port, but never tell you which. Some, after failed attempts will tell you what ports are needed, but not many.
Having program that will monitor all ports and notify user that some application wants to go out is not out of mind. That is way better option then having all ports closed making application to fail, or forcing user to shut down the firewall.
Sorry, not true either. The system comes configured with standard ports open, and any other required ports would be opened at installation.
Well if applications are installed that way why we have those that like Samba fail royally on my own LAN? CUPS don't work on the same LAN, and probably more.
Under normaly circumstances, the user would never see a request to open a port; if he/she DOES, it is higly likely that some malicous application is the cause, OR a new application is being installed, which should have been monitored by a qualified professional anyway.
Should I hire qualified professional to make Samba or CUPS working? I'm sure, if I would be lesser do-it-yourself guy, I will take another approach, ditch the non working OS and go back to working. Continue to pay for firewall that is a bit more verbose than Linux one, pay for antivirus software, have normal user for everything, but administration, apply common sense in other activities, like don't open attachments, don't visit dark corners of the web, and have OS that prints when I want, connects to other computers on LAN without asking me for PhD in couple of computer disciplines.
What that monitor will do is the same as user will do with much more hassle. It will record port, destination IP and application name. Notify user and after, [yes], [yes, log traffic], or [no], perform action.
No, no, no! Training users to always click on the "YES" button is absolutely no security at all. Why do you think Vista had so many problems? USERS are not qualified to make a security decision.
Users that always OK without reading you can't protect. They sign more serious things without reading them. That is just kind of people, that jump first and then hope that all will end good. Harassing the rest would not increase computer security a bit. Although, I can agree that asking user to decide should some application go to Internet, without providing additional informational resources, is equivalent of training them to click OK. The solution is not to give ability to poke the hole in firewall, without providing additional information to those that ask for. IMHO, the second part of solution is actually more demanding on developers, then the first. It requires permanent maintenance and update of information. Taking current problems with similar tasks, like providing current application manuals and troubleshooting guides, it seems that we will wait a bit until community builds resources for such task. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org