Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Fri, Sep 21, 2018 at 09:02:26AM +0530, Subhadip Ghosh wrote:
> Hi Roberto,
> 
> On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote:
> > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > Hi,
> > > 
> > > I am using Debian and the recently I learned that a standard Debian
> > > installation allows all 3 types of traffics especially incoming by default.
> > What do you mean by "all 3 types of traffics"?
> Incoming, Outgoing and Forward

I see.

Blocking incoming and forwarded traffic would probably not be surprising
to many people.  However, blocking outgoint traffic would be exceedingly
confusing to many people.

> > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > the reasons behind the choice of this default behaviour and if it makes the
> > > system more vulnerable?
> > The behavior you observe is likely because that is the best default that is
> > universally applicable.
> But does it make the system more vulnerable in any way to attacks over the
> network? And how will a new Debian user would know of this behaviour? I
> don't even see it mentioned on the Stretch Installation manual anywhere.

I see.  Perhaps the Debian Administrator's Handbook, Chapter 14 is what
you are looking for:

https://www.debian.org/doc/manuals/debian-handbook/security.en.html

While there is possibly an argument that not configuring a firewall by
default introduces some vulnerability, it is equally valid to argue that
there are no sensible default firewall policies that can be put into
place without a defined threat model.

I suspect that the vast majority of people deploying systems are doing
so behind some sort of device that provides border security to the local
network (e.g., router/firewall/NAT/etc.).  So, if the default threat
model is "a relatively trusted network with adequate border security"
then the current default is appropriate.

Those who deploy systems directly to a location where they are in
immediate contact with the public Internet should already understand the
ramifications of that decision and tailor their installation process
accordingly.

Regards,

-Roberto

-- 
Roberto C. Sánchez