Re: Why does Debian allow all incoming traffic by default
- Date: Sat, 22 Sep 2018 05:12:38 -0400
- From: Gene Heskett <gheskett@xxxxxxxxxxx>
- Subject: Re: Why does Debian allow all incoming traffic by default
On Saturday 22 September 2018 03:34:45 Pascal Hambourg wrote:
> Le 21/09/2018 à 19:09, Dan Ritter a écrit :
> > Let's suppose Debian installs a basic firewall by default. How
> > basic? Let's say:
> > - outbound: permit
> > - forward: deny
> > - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
> > response to an outbound packet
> Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?
Because you can set an ntp corrected machine as a broadcaster, therefore
reducing the load on the tier 2 servers such as debian maintains by
using their pool.debian.org or the tier 1 servers at pool.ntp.org. That
way I have 7 machines here, all synchronized to the first or 2nd tier of
time servers on the planet. This machine is a slave to my router, it
broadcasts to the other 6 machines, so I have all synched and well
within a millisecond.
One could use his main machine that way.
Some routers can also serve as servers, dd-wrt installed on a Buffalo
NetFinity can also do this. So it has become the broadcaster to my all
natted home network. I finally did that conversion last spring, cutting
out the 2nd npt request traffic.
> Why should only TCP inbound responses be allowed ? What about
> UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> messages, and so on ?
I probably should have iptables running on all my machines, but in 15
years, only one person as gotten thru dd-wrt to this machine, and I had
to give him the login credentials, I needed help configuring something,
on a long since replaced fedora install. So there is no firewall
enabled on any of the machines here. And because everytime Andrew
Triggel sits down at a keyboard cifs dies, same for NFS, I've found that
ssh and sshfs as local networking tools Just Work, so I don't have to
putz near as much with access maintenance. No NFS shares, no sammba/cifs
shares. And life is so much simpler.
Computers should work for you, not the other way around, forcing you to
remember how to push 17 buttons just to answer an incoming email. This
message only required 1 button click and all this typing. Everything
else is handled automatically by scripts.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>