Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Saturday 22 September 2018 03:34:45 Pascal Hambourg wrote:

> Le 21/09/2018 à 19:09, Dan Ritter a écrit :
> > Let's suppose Debian installs a basic firewall by default. How
> > basic? Let's say:
> >
> >      - outbound: permit
> >      - forward: deny
> >      - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
> >        response to an outbound packet
>
> Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?
>
Because you can set an ntp corrected machine as a broadcaster, therefore 
reducing the load on the tier 2 servers such as debian maintains by 
using their pool.debian.org or the tier 1 servers at pool.ntp.org. That 
way I have 7 machines here, all synchronized to the first or 2nd tier of 
time servers on the planet. This machine is a slave to my router, it 
broadcasts to the other 6 machines, so I have all synched and well 
within a millisecond.

One could use his main machine that way.
Some routers can also serve as servers, dd-wrt installed  on a Buffalo 
NetFinity can also do this. So it has become the broadcaster to my all 
natted home network. I finally did that conversion last spring, cutting 
out the 2nd npt request traffic.

> Why should only TCP inbound responses be allowed ? What about
> UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> messages, and so on ?

I probably should have iptables running on all my machines, but in 15 
years, only one person as gotten thru dd-wrt to this machine, and I had 
to give him the login credentials, I needed help configuring something, 
on a long since replaced fedora install.  So there is no firewall 
enabled on any of the machines here. And because everytime Andrew 
Triggel sits down at a keyboard cifs dies, same for NFS, I've found that 
ssh and sshfs as local networking tools Just Work, so I don't have to 
putz near as much with access maintenance. No NFS shares, no sammba/cifs 
shares.  And life is so much simpler.

Computers should work for you, not the other way around, forcing you to 
remember how to push 17 buttons just to answer an incoming email.  This 
message only required 1 button click and all this typing. Everything 
else is handled automatically by scripts.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>