[rescue] firewalling windoze crap

Jonathan C. Patschke jp at celestrion.net
Sat Aug 16 20:16:42 CDT 2003

On Mon, 11 Aug 2003, Phil Schilling wrote:

> IPFILTER_DEFAULT_BLOCK is in the compiled kernel and you are only
> allowing the standard outgoing connections, http, httpd, smtp, pop3, etc
> you should be safe.

Well, yeah, but that wasn't (strictly) the question.  That should be the
protocol for all systems, whether workstation or server, with whatever
else is NEEDED opened up in the configuration.

> I have 40+ NetBSD firewalls out there running such a setup, most in
> front of WinBloze networks and did not have a single compromised
> machine.  When I set up my firewalls the only incoming ports are from
> my machines to port 22 and any few ports that they may need specifically.

These worms underscore two things:

  1) Microsoft products suck.
  2) People who don't put firewalls on corporate networks or otherwise
     cause servers to be directly exposed should be tossed out the door.

A fault in the OS (no matter how glaring) should not cause a system to
be compromised if that fault is localized in a service that should NEVER
be exposed to the Internet, anyway.  Thus, I put pretty-much equal blame
on Microsoft and negligent firewall administrators.

Jonathan Patschke   )  "We're Texans.  We figure out ways to do these
Elgin, TX          (    things..."                    --Bill Bradford

More information about the rescue mailing list