Firewall security: Problems with simple Samba file share 3577

So you want him to have two firewalls, in series?

It's harder if it's a hardware device, but not impossible. Having an IP address for configuration plus a well-known default pbuttword is normally the give-away. But the firewall will only respond to local accesses :-). You would first have to compromise the next router along. Easier with a wireless router, of course.

Anyway, it's moot - nobody in their right minds bothers to try and crack in the hard way. Your pbuttword would be stolen somewhere else, and a legitimate login method used.

Try and stay away from generalities. Name the specific attack scenario, and the defense, that you have in mind.

The same thing that compromised your first defense would compromise the second, if your imagined attack is what I think it is.

And anyway ...

So what?

Oh yes "we" do. I do. Look ... no windows machines here!

Good for you, but that is the only situation in which a firewall gives you protection - when you are not the master of the machines on your local net. Having a windows machine means that you are not.

However, on a net composed of linux machines on which you are root, you are the master.

How about if you are worried about what your users can do?

I'm sorry, they can do whatever they like within the confines of their non-root privileges. If you are worried about what they do, the only useful thing I can think a firewall might do is prohibit incoming to ports above 1024 (mind you, that will kill your legitimate services also too often).

Good. Prime candidates for use of a firewall - lack of control.

Please do not use analogies. A packet is a packet. Nothing else.

You have the distro's updates. That's what they're for.

Good control.

Because you have control. Are you trying to protect yourself against your own failings? Fix yourself, then. And anyway, so what if somebody outside can reach one of your precious "internal" services? They can get in to your net a legitimate way (stolen pbuttword, http redirect, ftp proxy, etc.) first and reach the service from inside if they really want to.

You are making life hard for yourself when you want to change things (that's OK!).

No they can't - they have no way of telling that the source code you just downloaded to compile and install contains a trick in its Makefile that sets up an open root listener at 12pm to 12.05 pm on a port number derived from your IP address.

That's when it is NOT useful.

It doesn't matter - the services only do what they are supposed to do. If they have a vulnerability, it would already have been fixed by your ditro before you get exploited by it.

Web servers are supposed to allow universal access. Or are you talking about cgi and .htaccess? You can't seriously intend to configure the firewall to allow access to http dirs by source address! Whatever happened to authentication ...

A firewall is useful on a network where you do not control all the machines. A windows machine on your net means that that criterion is satisfied.

Peter