A couple of things that I’m a bit non-plussed by:
- I roll my eyes at the decision to have /bin/sh not be bash. It’s not like it was hard to update my shebangs, or to figure out what the problem was with my scripts, but I’m not sure what I’ve gained by doing so.
- Either I’m blind, or there’s no graphical firewall configuration tool; I have verified that there is no firewall in place. I’m behind a router doing NAT that only forwards SSH, so I’m not going to brush off my l33t iptables skillz, and of course it’s inconceivable that Linux could every have any security holes or that I could every inadvertently run a service in an insecure fashion. But really, isn’t a firewall just basic common sense these days?
Post Revisions:
There are no revisions for this post.
Posts
Bash is too heavyweight to be the default scripting shell, IMHO. Shell scripts should be Posix by default; if you actually depend on bash features, you should say so.
2/1/2007 @ 12:06 am
> I have verified that there is no firewall in place.
Ubuntu doesn’t ship with a firewall, because it doesn’t ship with any externally-accessible services turned on — and the idea is that if you’re competent enough to set such a service up, you can handle providing an iptables rule for it too.
I tend to find firewalls to be nuisances, but I also tend not to run insecure services.
2/1/2007 @ 10:28 am
Normally, I love standards, but Posix has never done that much for me. (Not that I’ve actually, you know, read it or anything.) I’m not using super-fancy features in those scripts, and I’ve never gotten the impression that there’s something special about the minimalism of pure original Bourne shell. Having said that, I’m not entirely comfortable with having sh = bash, either – I guess I’d be happier if there were a standard that had a little bit more functionality in the shell. To be sure, typing two extra characters isn’t exactly an onerous burden.
At first, I liked that firewall argument – I’m all for no configuration if possible. But if installing a service just means doing a simple package install, then it gets weaker – I installed Apache and MySQL over the weekend, and if I didn’t have the router in place protecting me, I’d be thinking twice about doing that without a firewall. (Though with my current configuration, I’m using Apache over a LAN, but the argument would apply if I only had one computer and no router.)
And, even setting aside my eroding iptables skills, it’s not like it’s that braindead easy. Aside from taking the time to learn the syntax and making your first mistakes (and hoping that the mistakes aren’t of the form of inadvertently leaving a hole open), there are interactions with nameservers and NTP servers that, in my past experience, require more coordination than you want to do by hand.
2/1/2007 @ 9:49 pm
I have never actually used any of them, but a quick search in the repositories found a few iptables configuration tools. If you don’t want to bother with iptables syntax then you might want to check them out.
2/1/2007 @ 11:26 pm