Re: [Fwbuilder-discussion] fwbuilder stop
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] fwbuilder stop
|
From: Erich T. <eri...@th...> - 2006-05-21 16:54:51
|
Vadim Kurland =E2=9C=8D wrote: >=20 > On May 21, 2006, at 9:22 AM, Erich Titl wrote: >=20 >> Hi Vadim, Ted >> >> after stirring it up I might as well say something :-) >> >> Vadim Kurland =E2=9C=8D wrote: >> ... >> >>>> >>>> this leaves firewall wide open, I am not sure this is what Erich =20 >>>> wants. >>>> >>>> Erich says: >>>> >>>>> Whichever action this would mean is philosophical by nature. Is a = =20 >>>>> shut down firewall open or closed by definition? My personal =20 >>>>> preference would be 'lock everything up except for the management = =20 >>>>> interfaces'. >>>> >>>> >>>> >>>> I agree with this definition, except I would permit connections =20 >>>> _from_ addresses defined in firewall settings instead of _to_ =20 >>>> management interface. >> >> >> Well, this IMHO defeats the definition of the management interface. >> >> We can tighten it even more and restrict both >> >>>> source and destination, but I am not sure this is necessary. >> >> >> It is not, because it can be defined in a normal firewall rule. I may= =20 >> not have completely understood the meaning of the management =20 >> interface then. What exactly is the purpose of the tick box in the =20 >> interface? It may be there only for documentation reasons and, as I =20 >> alredy mentioned, as a shortcut. >> >> Under what circumstances is the management interface needed and used?= =20 >> Typically I allow firewall access under normal operation using=20 >> firewall rules. If it is only used as a shortcut I would opt to drop = >> it, and thus remove some complexity. If the firewall script has no=20 >> state then IMHO the management interface serves no purpose :-( >=20 >=20 >=20 > management interface is used by built-in installer to figure out which= =20 > IP address of the firewall it should connect to. Compilers do not use = > it when they generate firewall configuration. I agree this is not=20 > entirely obvious function... As an excuse, I can point out that GUI=20 > tooltip that appears if you float mouse cursor over the checkbox =20 > actually says so ... Good point, in my case I use putty instances for installation so this=20 does play a rule in my environment. On the other hand only one management interface should then be allowed,=20 which AFAIK is not the case. Or will the built in installer cycle=20 through all addresses? cheers Erich |