Security Rant (was Re: ipchains issue (Re: Webmin via Apache))

plug-discuss@lists.plug.phoenix.az.us plug-discuss@lists.plug.phoenix.az.us
Wed, 26 Jun 2002 00:32:11 -0400 

My ruleset is the default RedHat 7.3 middle choice.  I did puch some holes
during the install for SSH and HTTP.  However, three things conspired against
me:

1. I assumed that HTTPS would come through the HTTP hole and failed to
consider the 10000 port Webmin wants.

2. While I can use many things and write programs on Linux, I have never
studied firewall configuration.

3. I was setting up a server and I wanted it done quickly so when Webmin
didn't talk, I didn't think about the firewall, only the Webmin configuration.


I should know about firewall configuration.  I now have a reason to learn. 
=^)

<MyRant>
However, as we propel Linux forward, we need to help develop tools that don't
require the user to know how or even why he needs a firewall.  The average Joe
just wants to know that his computer is secure because he picked the secure
option on his install.  And, if he needs to close a port or open a port, he
doesn't want to learn ipchains rule syntax or even port numbers, he wants to
select an option and be on his merry way.  Not an easy task but this is the
mindset that company in Redmond has created and our society expects.

If we want Linux on every desktop, it has to be made that easy.
</MyRant>

Anyway, it is an issue for tomorrow.  That box is at work, I am at home.  My
plan is to turn the firewall completely off to prove the Webmin setup works. 
Then, turn it back on with needed holes (after some studying).  One issue at a
time gets the bits in a row.

Alan

On 25 Jun 2002 19:42:01 -0700 Craig White <craigwhite@azapple.com> wrote:

thanks for the naked metaphor

If you looked at his ipchains rulesets, you would know how much
consideration had been given to them. That was my point.

I had a customer...a patent engineer, ee, tcl programmer and all around
very intelligent guy install firewall software on his computer and
couldn't figure out why he couldn't print or see the file servers, etc.
He couldn't log in to the Windows domain controller but his computer was
safe. I agree with you...know why you're doing it but you also need to
know how to do it.

Craig
________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.

PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss