On Sunday 07 April 2002 04:19 pm, Brian J. Murrell wrote: > On Sat, Apr 06, 2002 at 03:32:05PM -0500, Eric Wirt wrote: >> 2) When a program needs traversal through the firewall, it will ask the >> gateway for X number of ports to specifically be opened and forwarded to >> the inside machine. The gateway will report to the calling program >> (Messenger) which ports it has opened/forwarded, and the calling program >> takes it from there. When the program is done with the ports it is >> supposed to ask the gateway to close them.
> Does this not scare the bujeezus out of anyone else but me? Yes. > Netfilter/iptables' purpose is to protect both the box it is running > on but (most) frequently also a network of machine[s] behind it. > Why do we (security administrators) put a firewall (packet filter at > minimum) in front of a whole network of machines? Because it's much > easier (and therefore safer for the security administrator) to > administer one access point rather than having to go bolt down every > machine and hope it stays bolted down. And also to provide an extra layer of security on the its-easier-to-go-elsewhere principle. > Now we are giving the machines that we know are not secure -- and > don't run a secure OS which is produced by a company who has a long > running track record of implementing bad/minimal security at best -- > the ability to administer their own security policies by adding and > removing rules from the firewall via UPnP. True, especially given that proxy-using Linux and/or Open Source equivalents are available in practically every case. > Do we really want the inmates running the asylum? No. OTOH, Open Source is about giving people choices. Even if that freedom is used stupidly. I would ship the choice, but disable it by default, in a way that made it incapable of being accidentally enabled. I would also clearly label it risky in the directions, advise the use of a proxy instead if at all possible, and to searchingly consider whether the UPnP service is actually necessary in the first place. Cheers; Leon
