> There seems to be a misunderstanding about the nature of ports here.
> Ports don't magically turn "open", because you don't filter them on the
> firewall. A port is only in the state "open" if some daemon has a
> listening socket bound to it. For instance, port 111/tcp on your machine
> is probably open, because you're running the portmap daemon.
> Besides, why is your firewall running port-mapper, identd and print
> spooler anyway? A firewall is a security device and should be running as
> little services as possible. I also strongly recommend running a custom
> (stripped-down) kernel.
These remind me of a question I forgot to ask somewhere else: why is
portmap installed (and enabled!) by default? I just installled a fresh
lenny, with the web server task, and portmap was installed and enabled
by default. I believe nfs-common was also pulled together, and none was
called for during the install procedure. IMHO it's a very dangerous
default.
regards
FF
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment