Re: Why does Debian allow all incoming traffic by default
- Date: Sat, 22 Sep 2018 12:55:24 +0200
- From: Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>
- Subject: Re: Why does Debian allow all incoming traffic by default
Le 22/09/2018 à 11:12, Gene Heskett a écrit :
On Saturday 22 September 2018 03:34:45 Pascal Hambourg wrote:
Le 21/09/2018 à 19:09, Dan Ritter a écrit :
Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:
- outbound: permit
- forward: deny
- inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
response to an outbound packet
Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?
Because you can set an ntp corrected machine as a broadcaster
Does the client NTP daemon accepts inbound broadcast messages from any
source by default ? If so, this seems quite insecure to me and the
firewall should not allow this by default. If not, it requires some
configuration, and allowing inbound NTP broadcast from the broadcaster
address only should be part of this configuration.
Why should only TCP inbound responses be allowed ? What about
UDP-based protocols, ping replies (ICMP echo reply), ICMP error
messages, and so on ?
I probably should have iptables running on all my machines, but in 15
years, only one person as gotten thru dd-wrt to this machine, and I had
to give him the login credentials, I needed help configuring something,
on a long since replaced fedora install. So there is no firewall
enabled on any of the machines here. And because everytime Andrew
Triggel sits down at a keyboard cifs dies, same for NFS, I've found that
ssh and sshfs as local networking tools Just Work, so I don't have to
putz near as much with access maintenance. No NFS shares, no sammba/cifs
shares. And life is so much simpler.
Computers should work for you, not the other way around, forcing you to
remember how to push 17 buttons just to answer an incoming email. This
message only required 1 button click and all this typing. Everything
else is handled automatically by scripts.
I do not see how all this replies to my question :
Why should only TCP inbound responses be allowed ? What about UDP-based
protocols, ping replies (ICMP echo reply), ICMP error messages, and so on ?