Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Fri 21 Sep 2018 at 21:32:45 +0300, Reco wrote:

> 	Hi.
> 
> On Fri, Sep 21, 2018 at 07:14:03PM +0100, Brian wrote:
> > On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote:
> > 
> > > 	Hi.
> > > 
> > > On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > > > Hi,
> > > > > 
> > > > > I am using Debian and the recently I learned that a standard Debian
> > > > > installation allows all 3 types of traffics especially incoming by default.
> > > > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > > > the reasons behind the choice of this default behaviour and if it makes the
> > > > > system more vulnerable? I tried searching on the Internet but did not get
> > > > > any satisfactory explanation. It will be helpful if anybody knows the
> > > > > answers to my questions or can redirect me to a helpful document.
> > > > > 
> > > > 
> > > > The answer is easy. Because Debian is awesome (TM). So are most other
> > > > distributions.
> > > 
> > > Hear, hear.
> > > 
> > > > Run a netstat -t -l and you will see there is nothing listening. So what is
> > > > the point of running a firewall?
> > > 
> > > The point is to be a good netizen, as always. By running any sane kind of
> > > packet filter you're avoiding participating in TCP RST attack.
> > 
> > How do you do attack when (as Henning Follmann says) nothing is listening?
> 
> TCP RST attack requires exactly that. That, and an absence of a
> firewall.

You have given much food for thought. Thank you.
> 
> > There is no point with a standard Debian installation (which is what the
> > OP inquired about). Debian is already a good netizen.
> 
> Good person makes a TCP connection to unprotected (as in - no firewall
> interference) host. Since there's nothing on a host that does not listen
> appropriate TCP port - host's kernel sends back TCP RST packet.
> Good person's connection terminates, everyone's happy. That's how it
> goes in your typical LAN.
> 
> Evil person makes a TCP connection to unprotected host, but forges
> source IP. Host sends TCP RST to this forged IP, host acting as a
> 'reflector' to an attack. And being a bad netizen at the same time.
> 
> Evil person takes as many of such hosts as possible - and there goes
> your old-fashioned RST DDOS.
> 
> I recall that you've stated that your servers do not run any kind of
> packet filter. So, just in case - one cannot harm the reflector that
> way.

They don't. And, I still think the OP is fussing over nothing,

> So, in this regard Debian is imperfect, but at least they give you right
> tools to solve the problem (iptables suite), and do not force braindead
> firewall policies by default (like RHEL does).

If I used a packet filter I would want to base its use on some sensible.
Your post might help me to do it.

-- 
Brian.