Firewall security: Problems with simple Samba file share 3578
Peter T. Breuer
I don't care what HE does. But two firewalls is indeed what I do.
Firewalls often are configured to allow remote configuration. I'm not saying they SHOULD be left this way, but they often are. That's not the only possible breach, though. Many firewalls have some sort of shell that in theory could be accessed by some unknown exploit.
Well, gosh then: must be a lot of people not in their right minds because my logs are full of people trying both easy and hard ways..
That's the whole point, Peter: new exploits come along almost daily. Security isn't just about protecting from specific scenarios. Multiple layers are more likely to thwart unexpected attack vectors.
It would? So an error in iptables automatically causes the same error in the software of my hardware firewall?
John Hasler Yes, I'm referring to what we've been calling hardware firewalls, which of course really are just dedicated purpose computers and might even be running Linux themselves in some cases.. but at the consumer...
Nonsense. Packet inspection at an external firewall can identify specific attacks. You might want to read "Intrusion Prevention and Active Response" which I reviewed at
Huh? So the moment an exploit is discovered, updates are instantly available (fully debugged, of course) and can be instantly deployed on your machines. You must live in a very different world than I do :-)
My failings, my errors, and of course any exploits as discussed above.
It is generally true that if someone badly wants to get in, sooner or later they probably will - buttuming they have the patience and resources to do so. The same is true for someone who wants to steal my car - except that's even easier. So why don't I just leave it unlocked with the keys in it and the alarm disabled? Why bother to even try to protect anything?
Yes, it is harder to change things. Absolutely true.
I'm sorry, but you are incorrect. Firewalls can do full packet inspection and can look for known patterns. See the book I referred you to above.
Really? So all services are now 100% secure and are guaranteed against any and all future exploits? Are you REALLY butterting that?
That cannot be what you mean to say. But it sure looks like it. You say "the services only do what they are supposed to do" as though there never has been an exploit of any service in the past decade.. and you also seem to be saying that if some vulnerability did turn up it would be instantly fixed.. if that's really your position, all I can say is "Wow!".
Peter T. Breuer I have given examples, and so have other people. It hasn't been vague generalities at all. A firewall protects against software deficiency and accidental misconfiguration. It can also...
Wow.
Yes it is. That is precisely the use of it. Man ssh ... ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides...
You can allow and disallow specific directories by ip address and in this case I was thinking of web servers that are NOT supposed to be universally available - intranet servers. In that case, I would have the Apache config set for only the allowed use and do the same thing with both firewalls.
-- Tony Lawrence
Firewall security: Problems with simple Samba file share 3579
Linux groups from Newsgroups
Firewall security: Problems with simple Samba file share 3577