Le 27 juin 09 à 08:57, Brian E Carpenter a écrit :
On 2009-06-26 16:50, Gert Doering wrote:Hi, On Fri, Jun 26, 2009 at 04:08:47PM +0200, Rémi Després wrote:- I had to open the Mac to incoming VNC connections from another computer of the site. - If I had opened the VNC port in the Mac without disabling IPv6, this would have opened it also for connections from any host of the IPv6 global Internet.I'd argue that this is something that should be improved in the "host firewall" - instead of "completely closed" and "opened fromeverywhere", there should be a third state "open for connections from thelocal network"...
Same view.As a matter of fact, I sent a security bug report to Apple suggesting it.
However, the possibility of a minimal security protection in CPEs should IMHO be _also_ available:
- for hosts that don't have good enough firewalls;- for sites where there are several links and where some ports have to be open for link to link connections.
s/local network/trusted zone/ and this reflects the behaviour of at least one very popular personal firewall. I think this is proven safe practice, and actually means that with such a personal firewall installed, the CPE can be wide open.
Agreed, but applicable only if one can be sure that all hosts of the site, permanent and temporary, have good enough host firewalls.
Needless to say, this level of on-board protection is essential for roaming anyway.
Doesn't it depend on what is meant by "this level"?(When roaming, closing all ports for ALL incoming calls is typically sufficient. Opening some of them only for intra-link connections is, in my understanding, for hosts in well known sites.)
I'd certainly want my CPE to have an option to switch off all firewall behaviour.
Agreed, provided the default behavior of unmanaged CPEs remains with a minimal security provision for IPv6.
RD