"Brian T. Brunner" <brian.t.brunner at gai-tronics.com> wrote: > Until then, a (stubbornly) broken distro will persuade me > to try something else. That's why I left Windows, I guess, > if you prognosticate correctly, it will be why I leave > RedHat/CentOS. Actually, NT has some excellent RBAC/MAC. And it utterly breaks 99.9% of Windows apps. > btw this has nothing to do with Firewalls at all. > I bought a firewall (router) and use it. Once again, you made my point for me! You're using an "allow all outgoing" firewall. If you reconfigure it for a "deny all outgoing" firewall, like a corporate LAN, DMZ, etc... would be "broken" in your terms. That is the most relevant analogy I can think of. Apparently, you didn't understand that analogy at all. > If I had to upgrade firewall firmware versions, and the new > versions broke running applications, I'd consider the new > firewall firmware BROKEN. Damn, you just make my point again! Some SOHO firewalls just allowing protocols to open up service ports for compatibility, which basically allows remote systems to open arbitrary ports to your network. The firewalls that turn this off by default, in your terms, are "broken" and wouldn't sell. Especially if the firewall config was proper -- and would take you through dozens (if not hundreds) of confusing prompts on why you shouldn't enable various protocols. You just want it to "work dammit!" But you don't want to know one thing why you shouldn't enable something -- even though it's a _massive_ hole! There is the farce out there that protocols are well behaved. Do you know how many protocols allow things to come right into your network? Especially because the firewall doesn't want to be thought of as "broken" so it just allows things in? SELinux is _not_ an "upgrade." SELinux is a new set of kernel-enforce _policies_. It's just like going beyond just shutting off problematic clients from getting out -- but changing your _entire_ firewall policy to _deny_ all outgoing traffic by default. >From there, you will allow only select traffic out. And you can be damn sure that a crapload of clients will _not_ work no matter what you do -- because their protocols were piss-poor designed in the first place. > As is, I don't mind SELinux, because I can disable it > at installation time. But don't make broad statements like you are. Your statements go beyond preference, but are technically _false_! > I will continue to do so until it is no longer broken. Just like deny all outgoing firewalls are _just_as_broken_. Again, you just made my case for me better than anything I could have said. You don't seem to know why deny all outgoing firewalls exist either. Hence why don't know why SELinux exists either. The reality is that with SELinux, we don't trust software _until_ they are explicitly allowed to access things. Modes like "permissive" use the opposite that logic, and are more compatible. Just like deny all outgoing firewalls block _all_ outbound traffic, _until_ they are explicitly allowed. And why most people just enable allow all outgoing (including every single SOHO device you'll find at the superstore). Do you understand now? -- Bryan J. Smith | Sent from Yahoo Mail mailto:b.j.smith at ieee.org | (please excuse any http://thebs413.blogspot.com/ | missing headers)