Re: [opensuse] Re: Interactive Firewall Needed
"..but port open/closing is **NOT** to be done at run time." -----> Say for example one application needs the open port once in a day for communicating.would it be better to keep a port open for ever after installation even if it is not needed?? "nor does it make a discussion for a ***LINUX*** forum. " Its absolutely your opinion but the response of this topic should be visible to you.Many people already shared their views and discussed about this topic. Cant we think beyond some conventional mindset -->One application is doing similar to MS it means its from MS world and we dont discuss with it in **LINUX FORUM** --->This problem is similar/present in MS or Mac so we dont discuss with it in **LINUX FORUM** We should try to make a better platform taking all the good options from all the platform as much as possible.Since Linux is Open we have the opportunity do that.We can make it better and better.. Prasun ----- Original Message ---- From: L. V. Lammert <lvl@omnitec.net> To: Prasun Dhara <prasun_instru@yahoo.com> Sent: Thursday, May 7, 2009 11:53:07 PM Subject: Re: [opensuse] Re: Interactive Firewall Needed At 11:04 AM 5/7/2009 -0700, you wrote:
But I can not agree with you on the point #1.
When one particular application will listen to a port, it totally depends on the application. It may be during installation,may be during anytime the application wish.
I am totally agree with you Jim.
See the reply to Jim - don't confuse 'run' with 'install'. For an application to be installed properly, part of that installation must be to configure the firewall (if it exists). That process might include an automated script or a README, .. but port open/closing is **NOT** to be done at run time. In the corporate world, in fact, the user doesn't even HAVE the ability to open/close a port; the fact that Windows users are used to dealing with this sort of issue on a regular basis does not make it good security practice, nor does it make a discussion for a ***LINUX*** forum. Lee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2009-05-07 at 12:00 -0700, Prasun Dhara wrote:
"..but port open/closing is **NOT** to be done at run time."
-----> Say for example one application needs the open port once in a day for communicating.would it be better to keep a port open for ever after installation even if it is not needed??
Yes, in Linux the port is normally opened on the firewall at all times. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoDW0cACgkQtTMYHG2NR9XfWACfQQkq30arCwwQ7jvIejFs7pN6 rV4AnR1oYB3cvsZUALwGbvq4FM4UrGZ/ =gYMk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 May 2009 05:05:57 pm Carlos E. R. wrote:
On Thursday, 2009-05-07 at 12:00 -0700, Prasun Dhara wrote:
"..but port open/closing is **NOT** to be done at run time."
-----> Say for example one application needs the open port once in a day for communicating.would it be better to keep a port open for ever after installation even if it is not needed??
Yes, in Linux the port is normally opened on the firewall at all times.
So, when I install something that in my opinion has to loose understanding of security, I should live with it. No, so what I do? Remove Internet only for that application. How do I do that? AppArmor is designed to do that, but setup is somewhat perplexed with language that for sure many professionals will not understand at once. Basically there is no need to invent new application, but to make instructions for AppArmor sound somewhat lesser scientific, and maybe it should appear on its own and ask a question, instead to hide itself in YaST. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Rajko M. <rmatov101@charter.net> [05-07-09 19:32]:
So, when I install something that in my opinion has to loose understanding of security, I should live with it.
no
No, so what I do? Remove Internet only for that application.
yes
How do I do that?
close the port the app requires, hint: yast2 If the usage is that infrequent, no problem. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 May 2009 06:34:44 pm Patrick Shanahan wrote:
close the port the app requires, hint: yast2
I'm afraid it is not that simple. Any application can use any port for outgoing traffic, and firewall can't do much about it. The only way is to have application aware Gatekeeper that will turn of Internet switch based on what application is trying to get out. Though, your hint is absolutely correct, YaST [AppArmor] is solution, but in current state it is somewhat behind in usability for average Joe. I guess it is good to open AppArmor discussion in new thread. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rajko M. wrote:
On Thursday 07 May 2009 06:34:44 pm Patrick Shanahan wrote:
close the port the app requires, hint: yast2
I'm afraid it is not that simple.
Any application can use any port for outgoing traffic, and firewall can't do much about it.
I beg to differ. Every network I set up has egress filtering on key ports (such as port 25 at a very minimum). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 May 2009 11:06:13 pm John Andersen wrote:
I beg to differ.
Every network I set up has egress filtering on key ports (such as port 25 at a very minimum).
What do you do with application that is testing for any working port, to connect to server that doesn't restrict access based on source port? It doesn't do anything evil, just phone home to tell about yet another successful installation, because author likes when many users are using his work, but wants to know that first hand. That application will pass trough security scrutiny, but some people will object that is invasion of privacy. There is myriad reasons why friendly AppArmor and firewall setup is good idea. In its current state all effort that went in development is for nothing. I'm not sure that many people will notice if one day it is removed. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 7 May 2009, Rajko M. wrote:
On Thursday 07 May 2009 11:06:13 pm John Andersen wrote:
What do you do with application that is testing for any working port, to connect to server that doesn't restrict access based on source port?
Block it, of course. If the app complains, get another app. Lee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 May 2009 08:41:45 am L. V. Lammert wrote:
On Thu, 7 May 2009, Rajko M. wrote:
On Thursday 07 May 2009 11:06:13 pm John Andersen wrote:
What do you do with application that is testing for any working port, to connect to server that doesn't restrict access based on source port?
Block it, of course. If the app complains, get another app.
Lee
Sorry, can't do it, it's the only with xyz :-) -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 7 May 2009, John Andersen wrote:
Rajko M. wrote:
On Thursday 07 May 2009 06:34:44 pm Patrick Shanahan wrote:
close the port the app requires, hint: yast2
I'm afraid it is not that simple.
Any application can use any port for outgoing traffic, and firewall can't do much about it.
I beg to differ.
No need to beg, .. there are too many people around here that don't know how to spell security, much less implement it. Lee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 May 2009 08:40:29 am L. V. Lammert wrote:
On Thu, 7 May 2009, John Andersen wrote:
Rajko M. wrote:
On Thursday 07 May 2009 06:34:44 pm Patrick Shanahan wrote:
close the port the app requires, hint: yast2
I'm afraid it is not that simple.
Any application can use any port for outgoing traffic, and firewall can't do much about it.
I beg to differ.
No need to beg, .. there are too many people around here that don't know how to spell security, much less implement it.
Lee
Not to mention those that tend to solutions that border with pulling a plug :-) -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 7 May 2009, Rajko M. wrote:
On Thursday 07 May 2009 06:34:44 pm Patrick Shanahan wrote:
close the port the app requires, hint: yast2
I'm afraid it is not that simple.
But it is, only not on the client machine. Outgoing ports, if you need security, are managed at the upstream firewall/proxy. If you truly wish to lock down network traffic, you only pass/proxy specific ports. Lee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 May 2009 08:38:06 am L. V. Lammert wrote:
On Thu, 7 May 2009, Rajko M. wrote:
On Thursday 07 May 2009 06:34:44 pm Patrick Shanahan wrote:
close the port the app requires, hint: yast2
I'm afraid it is not that simple.
But it is, only not on the client machine. Outgoing ports, if you need security, are managed at the upstream firewall/proxy.
If you truly wish to lock down network traffic, you only pass/proxy specific ports.
Lee
Hmmmm ... There is exploit that admin doesn't know about. It allows smart trojan to be installed and wait. His net is hired as botnet for a month before logs will reveal strange activity, and when that happen computers will be part of DDoS for hours before he can get alarm. What to do, pull the plug when is time to sleep :-) -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Carlos E. R. -
John Andersen -
L. V. Lammert -
Patrick Shanahan -
Prasun Dhara -
Rajko M.