Saturday, January 31, 2009

portmap by default (Re: my debian does not read my own iptables script)

Em Sáb, 2009-01-31 às 02:41 +0100, Ansgar Wiechers escreveu:

> There seems to be a misunderstanding about the nature of ports here.
> Ports don't magically turn "open", because you don't filter them on the
> firewall. A port is only in the state "open" if some daemon has a
> listening socket bound to it. For instance, port 111/tcp on your machine
> is probably open, because you're running the portmap daemon.

> Besides, why is your firewall running port-mapper, identd and print
> spooler anyway? A firewall is a security device and should be running as
> little services as possible. I also strongly recommend running a custom
> (stripped-down) kernel.

These remind me of a question I forgot to ask somewhere else: why is
portmap installed (and enabled!) by default? I just installled a fresh
lenny, with the web server task, and portmap was installed and enabled
by default. I believe nfs-common was also pulled together, and none was
called for during the install procedure. IMHO it's a very dangerous
default.

regards
FF


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment