|
Posted by saltlick on January 19, 2006, 9:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi All,
A few years back my college lecturer suggested that the most secure way
to setup a (linux)
firewall is to not have any loopback (lo) interface and hence it cannot
run any local services but only forward traffic back and forth, etc.
Obviously you would then have to manage the host from the console.
Any comments ?
|
|
Posted by Volker Birk on January 20, 2006, 4:04 am
If you were Registered and logged in, you could reply and use other advanced thread options
> A few years back my college lecturer suggested that the most secure way
> to setup a (linux)
> firewall is to not have any loopback (lo) interface and hence it cannot
> run any local services but only forward traffic back and forth, etc.
> Obviously you would then have to manage the host from the console.
> Any comments ?
Ridiculous nonsense.
Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.
|
|
Posted by Moe Trin on January 20, 2006, 2:55 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>A few years back my college lecturer suggested that the most secure way
>to setup a (linux) firewall is to not have any loopback (lo) interface
>and hence it cannot run any local services but only forward traffic back
>and forth, etc.
Someone has a severe concept/nomenclature problem. The presence or absence
of a loopback interface has nothing to do with the services that are being
offered. The loopback is how the computer talks to _itself_ and if the
loopback is vulnerable, it's because someone already 0wnZ the computer.
What is probably being talked about is not offering any services, OR
limiting access to such services to specific internal hosts. Another
concept is that there is no access FROM the firewall to any other
system inside OR out - that is, the firewall is not considered a trusted
system.
>Obviously you would then have to manage the host from the console.
Gee, my home firewall is an old laptop that doesn't have a case, keyboard
or display and offers no network services. Wonder why that works.
>Any comments ?
http://www.oreilly.com and search for "Practical Unix & Internet
Firewalls" by Zwicky, et.al.
Old guy
|
|
Posted by Jeff B on January 20, 2006, 10:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi All,
>
> A few years back my college lecturer suggested that the most secure way
> to setup a (linux) firewall is to not have any loopback (lo) interface
> and hence it cannot run any local services but only forward traffic
> back and forth, etc.
Linux does not bind to the loopback interface like Windows misguidedly
does. Linux/Unix programs bind to the address found by
gethostbyname( gethostname() ).
In this manner, any program that can create a port on the NIC, is
instantly usable both publically and internally.
Internal services are accessed by FIFOs, SHMAT {ie shared seggments} or
the AF-UNIX domain kind of sockets {not AF-TCP-ip public sockets }
hint: read the book(s) for youself and/or verify what you read/hear --
including this! :-)
--
---
Jeff B (remove the No-Spam to reply)
|
|
Posted by Volker Birk on January 21, 2006, 1:40 am
If you were Registered and logged in, you could reply and use other advanced thread options > Linux does not bind to the loopback interface like Windows misguidedly
^^^^^^^^^^^^^^^^^^^
> does. Linux/Unix programs bind to the address found by
> gethostbyname( gethostname() ).
You cannot say this. It depends.
> Internal services are accessed by FIFOs, SHMAT {ie shared seggments} or
> the AF-UNIX domain kind of sockets {not AF-TCP-ip public sockets }
Not every Linux process uses UNIX domain sockets or named pipes for
IPC without networking.
Yours,
VB.
--
Netzwerkgrundlagen anhand Windows lernen zu wollen ist doch wie seine
ersten sexuellen Erfahrungen mit einer Prostituierten zu sammlen: Die
Leidenschaft fehlt, das wirklich Wichtige lernt man dabei nicht, und die
Chance sich einen Schädling einzufangen ist hoch. (Lukas Graf in d.c.s.m)
|
| Similar Threads | Posted | | firewall blocking of loopback connection | December 20, 2007, 5:09 pm |
| Loopback? | July 31, 2004, 12:03 am |
| sonicwall dns loopback | June 7, 2007, 8:57 pm |
| watchguard x500 loopback | May 17, 2006, 11:53 am |
| Safety of local-loopback access rule | November 9, 2006, 8:09 am |
| Windows Firewall Interface | May 4, 2005, 9:48 am |
| nvidia firewall interface? | July 10, 2005, 12:44 pm |
| Creating a loopback rule for all IP's bound to a machine? | January 20, 2006, 6:06 am |
| problems with wireless interface on firewall | September 6, 2005, 12:43 am |
| open firewall via web interface authentication | January 1, 2006, 12:33 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map