ubuntu-phone team mailing list archive

[Michał Sawicz <michal.sawicz@xxxxxxxxxxxxx>]

W dniu 03.04.2015 o 21:58, Matthias Apitz pisze:
> El día Friday, April 03, 2015 a las 09:47:33PM +0200, Michał Sawicz escribió:
> 
>>>> > >> Isn't not listening on any outside port better than putting a firewall
>>>> > >> on the device? If you find a service that is actually listening on the
>>>> > >> device, that'd definitely be a bug that needs fixing.
>>> > > 
>>> > > The device is at least (after enabling SSH) listening on port 22.
>> > 
>> > Yes, after enabling it, which is a developer thing to do.
> Yes, but after enabling this, it is always there; and even in dev mode
> it could be protected by some access-list, or firewall;

Not a priority for a phone that still lacks a bit of normal user
features I'd say. As a more tech-y person you can easily use iptables to
do this on your phone. Not supported, so YMMV.

>>>> > >> Can you describe an attack vector you're imagining that would require a
>>>> > >> firewall to be installed on the device?
>>> > > 
>>> > > The above mentioned port 22 and any other any app may LISTEN on.
>> > 
>> > Apps are confined, they can not open ports to listen on.
> I dod not knew this, that apps can not open any LISTEN.

See the wiki for some details, although that does not speak of listening
in particular.
https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement

> And, what about DSO attacks?

You mean DoS? Maybe I'm out of my depth here, but if the packets are
just dropped because there's nothing listening on a port, isn't that the
best prevention of DoS?

-- 
Michał Sawicz <michal.sawicz@xxxxxxxxxxxxx>
Canonical Ltd.

Attachment: signature.asc
Description: OpenPGP digital signature