| 1 |
On December 4, 2014 8:12:58 AM PST, Andrew Savchenko <bircoph@g.o> wrote: |
| 2 |
> |
| 3 |
>Yes. But booting as much services as possible is even more |
| 4 |
>preferable, especially when box is remote. |
| 5 |
|
| 6 |
Are you sure booting most, but not all, services in a loop is always better than booting none of them at all? What if I have an insecure dæmon listening on TCP, I need it running, but I want to ensure only local processes can connect to it? Obviously, I would make it “need iptables”, assuming the dæmon doesn’t have its own bind address config knob. |
| 7 |
|
| 8 |
What if now, by some accident, iptables ends up in a loop (maybe not even a loop including $insecure_service, but some other loop entirely), and it’s the randomly chosen victim? Is it still good to boot as many services as possible? I think not. |
| 9 |
|
| 10 |
-- |
| 11 |
Christopher Head |
Archives