Home page logo
/

nanog logo nanog mailing list archives

Re: Microsoft to ship new versions with firewall enabled
From: Daniel Senie <dts () senie com>
Date: Thu, 14 Aug 2003 12:56:25 -0400


At 12:07 PM 8/14/2003, Eric A. Hall wrote:


on 8/14/2003 9:29 AM Sean Donelan wrote:

> John Markoff reports in the New York Times that Microsoft plans to change
> how it ships Windows XP due to the worm.  In the future Microsoft will
> ship both business and consumer verisons of Windows XP with the included
> firewall enabled by default.

Wouldn't it make more sense to ship with all of the services disabled?

I mean, if the role of the firewall is to block packets to weak services,
wouldn't it be simpler to just disable the damn services since they aren't
going to be usable anyway?

Ah, no.

There are many services that ARE useful on the local machine, which may not need to listen to the outside world in all configurations. While I think the intent of your question was reasonable, the better way to phrase it would be:

"Wouldn't it make more sense to ship products with services listening only on loopback interfaces, rather than listening on all interfaces?"

The same exact issue applies to every operating system. Indeed, some vendors are dealing with this well. RedHat changed the default configuration of sendmail in RH9 to listen only on 127.0.0.1. The user can change that to listen to the outside IF the machine in question has a need to listen (i.e. it really was intended to me a mail server). This approach is to be commended, and should be followed for other services that may be necessary to run on a local machine, but which need not be reachable from outside the machine.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault