Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Saturday 22 September 2018 10:52:40 Pascal Hambourg wrote:

> Le 22/09/2018 à 13:31, Dan Ritter a écrit :
> > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:
> >> I do not see how all this replies to my question :
>
> This comment was intended to Gene Heskett.
>
> >> Why should only TCP inbound responses be allowed ? What about
> >> UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> >> messages, and so on ?
> >
> > Given that my entire point was that no firewall policy other
> > than "configure it yourself" will work, it's really you missing
> > the point to expect me to describe a complete firewall policy tuned
> > to your desires.
>
> It does not matter what you entire point was, and I do not expect you
> to describe a complete firewall policy. *You* exposed a supposedly
> default firewall policy which I happened to find questionable, so I
> questioned it.
>
> You would not have exposed a broken firewall policy on purpose in
> order to prove your point, would you ?

The point I was trying to make is that in close to 2 decades of my 
somewhat volatile home setup all on a 192.168.nn.nn address, and with 
the exception in my sig being the only forward in the dd-wrt rules, and 
apache2 is running in a sandbox to serve my web page, the only person to 
gain access to this network and machine was given the username and 
password to do so by me. My only problem has been someone else logging 
into one of the wifi's, which are not bridged to this net, but to the 
internet, and using up more bandwidth in a month than I do.  Still under 
my cap by quite a ways, but...

So since I don't use the radios. ATM all the radios are turned off, they 
aren't needed until one of my boys comes to visit with a smartphone and 
needs net access.

Take it for what you think its worth. It does work for me.

IMO, those without a reflashed router running dd-wrt or one of the 
work-a-likes between their machines and the internet, running all their 
machine on un-routable addresses, is a bit dumb, asking for trouble, and 
it will find them sooner rather than later unless they've built their 
own firewall.

Yes, there are $35 routers that can be updated to dd-wrt, I have such a 
netgear. But dd-wrt has stuff there is not room for in the more memory 
limited $35 model, 100% configurable port forwarding being on the 
missing list, so the netgear has logged a couple weeks when the buffalo 
got forgetfull.

Take care Pascal.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>