Microsoft is banking on enhancements to what it has dubbed the fundamentals to entice enterprises to upgrade to the next version of Windows, known as Vista. The company will use upcoming industry shows to sing the praises of improvements to the Windows networking stack and secure networking techniques such as server and domain isolation to sell both Vista and Longhorn, the planned update to Windows Server.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-10-02
Well, on my Gentoo system I started out with having all ports closed, then later adding a firewall to startup during boot, using rulesets for incoming and outgoing traffic - pretty much the same way I do it on Windows.
Personally I'd prefer if all linux distributions shipped with a firewall started on bootup. Even though they can be difficult to configure for some. Creating rulesets aren't that easy for all.
The other option is to close all ports, which all distros I've used have done, when they weren't shipped with a firewall.
To me it's a bit difficult to say whether it's a part of a distro or not, since I mess around with them so much, I can't remember what changes I made, and what was shipped with the distro. Probably a brain damage from my LFS-time.
Member since:
2005-07-09
Only in the sense that it doesn't have the "overhead" of an iptables ruleset to process. Stateful rules are generally very fast and non-solicited packets get dropped very quickly (assuming the default policy is DROP). Dropping a packet can be very efficient. Especially if you are being portscanned and the packets get dropped vice your stack having to send out a bunch of ICMP packets telling the distant end that the ports being tickled are closed. It also only is safe until the Administrator/root opens a port. At that point it is open to everyone.
.
Even assuming no ports are never opened, that TCP/IP stack must process every packet sent to the machine. That presents a couple of problems assuming there is no border router or firewall preventing it:
1) Someone probing for hosts will get some tactile feedback.
2) Some packets you might not want a TCP/IP stack to process in the first place (I have yet to verify if they have prevented that particular nastiness via sysctl, I'll get back to you on that
This isn't meant to be a cut on Ubuntu, I happen to like it a lot. Overall, the default configuration is very safe. It provides a very small attack vector while not limiting connectivity from the host to other hosts offering services. For Linux/networking newbies this reduces complexity considerably. They could still have the same effect with a stateful ruleset in place (and reduce the attack vector even more), but ease of use would be lost a bit when someone enables a service and then also has to figure out how to open ports in the firewall ruleset.
Personally, I feel that if a distribution doesn't enable a stateful ruleset by default, they would do well to at least emulate what Ubuntu does out of the box.
I also forgot to mention Slackware in my earlier post. I really love that distribution, but I don't consider it newbie safe (not that it pretends to be). All ports aren't closed on the default install, nor is there a ruleset in place.
Edited 2005-12-13 04:09