original sheeva kernel needs some work

[vinceskahan]

Just got my Sheeva yesterday (after 38 days) and have been poking around a little on it.  I was pretty much floored by the fact that the box comes as-is with a active read-write samba share 'and' no iptables support built into the kernel at all.

Yes I know it's a dev kit and developers are expected to have a clue, but since it's so cheap and pretty good right out of the box the thought struck me that we'll likely see a clueless-newbie market as soon as they work out the manufacturing backlog issues.

Are there plans to update the from-the-vendor kernel and base os to something less "totally wide open so go forth and trash me please" initial configuration ?

[Rabeeh Khoury]

The iptable note is not clear. Why do you need iptable enabled by default?

I think the assumption is that if you are smart enough to configure your gateway to access the plug remotely; then you probably want to manually install iptable and recompile your own kernel.

Anyhow Marvell provides all sources available to be modded as you like.

[vinceskahan]

The iptable note is not clear. Why do you need iptable enabled by default?

Because the Internet is a dangerous place.

At a minimum the default kernel should have iptables built in and the os should have the iptables command-line utilities present so folks can lock their box down right away.

Yes I know we "can" get/compile/configure out own kernels to add it in, but my opinion is any commercial product should have this there as a minimum.

[jmknapp]

BTW, what smb share is set up by default? Just checked my conf file & it only has the shares I set up, although maybe I'm not recalling having deleted one earlier.

One thing I found setting up iptables on the plug--it's best to just have a serial connection permanently set up on the mini-usb as a console of last resort, as it's very easy to lock out ssh when fiddling around.

Joe

[plugit]

Because the Internet is a dangerous place.

I think it's not an unreasonable assumption that the plug would exist behind a dedicated firewall. Do people still put computers directly on the Internet? I don't think I've seen that done in over ten years.

[finndo]

Because the Internet is a dangerous place.

I think it's not an unreasonable assumption that the plug would exist behind a dedicated firewall. Do people still put computers directly on the Internet? I don't think I've seen that done in over ten years.

That is my intention with the Sheeva, I am going to set it up as my firewall, and with a giga-switch it will be my router as well.  I just got mine on monday, and have been playing with it, and now having been to this site, I realize I need to update the kernel before proceding.  I also have some screen shots of setting up the serial port in vista that I took, in addition to unboxing pics.  it's cute, but runs hot to the touch.

[caseih]

I run numerous servers (web, mail, etc) on the big, bad internet without any firewall at all.  There is no problem.  A firewall simply cannot protect you from insecure applications anyway.   In other words, on my mail server only port 25, 465, 143, 110, 993, and 995 are even open and I want them open.  Hence iptables does nothing.  Even if iptables was running it would do nothing to protect the server from being attacked through these services.

Really iptables is most effective at controlling traffic flowing across the device (IE a routing firewall).  Sometimes iptables is useful for controlling access to certain services by certain subnets.  But really that's a kludge (albeit useful one) to compensate for the fact that some services are extremely braindead and don't allow you to control which interfaces it is listening for, or doesn't have any concept of ACLs.  I was finally forced to run iptables on my VPS when I needed to use NFS once.  And then later my VPS became my openvpn concentrator and I needed iptables to control access between my various private subnets (one subnet per household in my family... privacy needed to be controlled).

All that said, however, I needed iptables on my plug computer as well, for reasons that have to do with dans guardian filtering.  So I ended up installing the 2.6.30rc8 kernel.  It worked great.  Before I installed it, though, I netbooted it over tftp to make sure it would work for me.  when it did, I simply overwrote the original kernel in uboot.  I do agree with you, however, that having a more functional kernel ship stock would be ideal.  Most folks won't need iptables, but some might, so it may as well come with the ko modules anyway.

[vinceskahan]

I run numerous servers (web, mail, etc) on the big, bad internet without any firewall at all.  There is no problem.  A firewall simply cannot protect you from insecure applications anyway.   In other words, on my mail server only port 25, 465, 143, 110, 993, and 995 are even open and I want them open.  Hence iptables does nothing.  Even if iptables was running it would do nothing to protect the server from being attacked through these services.

Understand your point, but it's really irrelevant.

The vendor should be delivering an operating system containing iptables and the matching kernel modules to permit the user to set up a firewall if they so choose.  The decision to set up a firewall (or not) is of course the user's, but the software as delivered by the vendor should make "yes" a possibility without requiring software updates.

I also disagree with your position that your approach is sufficient, but that's a whole other discussion I'd prefer to not get into.  It's clear your mind is made up that no firewall is needed.

I might add that the rc7 updated kernels look great.  Now if iptables was just in the vanilla distro so no apt-get was needed :-)