On Tue, Dec 06, 2016 at 12:07:25PM +1300, Daniel Reurich wrote: [cut]
> > I'm probably getting a little of topic here, but IMHO, MS Windows needs > a firewall because it has so many leaky hidden services running on the > host that should never be exposed to even local networks that make it > extremely vulnerable, so it essentially needs a to be enclosed in a > farraday cage with a few pinholes for the necessary inbound services. > > Generally a well setup Linux system has no network connectable services > running that aren't intended to be, in which case it's relatively > resistant to hacking attempts. This means firewall in a well secured > network is generally not necessary or desirable. The only instance I'd > consider a workstation firewall is a laptop connecting to untrusted > networks regularly. > Hi Dan, I partially agree with your analysis, but you know better than me that in many non-desktop environments (which are actually the large majority of the use cases for Linux) iptables does much more than filtering ports. I agree that if it was just for "firewalling" in the Windows acception, then iptables would have been pretty useless in a unix environment, but indeed iptables is the most high-level(!) packet manager available to a sysadmin. As a consequence, it might (but it also might not) be sensible for a distribution to propose a default location for the *state* *files* related to iptables (they are not configuration files, as I tried to explain before). /var/lib/iptables respects the rule of least surprise: since all the state files of daemons/services/utilities in Debian-like systems are in /var/lib/*/, it would be sensible to keep iptables' state files there as well. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
