Re: Why does Debian allow all incoming traffic by default
- Date: Sat, 22 Sep 2018 14:19:19 -0400
- From: Gene Heskett <gheskett@xxxxxxxxxxx>
- Subject: Re: Why does Debian allow all incoming traffic by default
On Saturday 22 September 2018 10:52:40 Pascal Hambourg wrote:
> Le 22/09/2018 à 13:31, Dan Ritter a écrit :
> > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:
> >> I do not see how all this replies to my question :
> This comment was intended to Gene Heskett.
> >> Why should only TCP inbound responses be allowed ? What about
> >> UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> >> messages, and so on ?
> > Given that my entire point was that no firewall policy other
> > than "configure it yourself" will work, it's really you missing
> > the point to expect me to describe a complete firewall policy tuned
> > to your desires.
> It does not matter what you entire point was, and I do not expect you
> to describe a complete firewall policy. *You* exposed a supposedly
> default firewall policy which I happened to find questionable, so I
> questioned it.
> You would not have exposed a broken firewall policy on purpose in
> order to prove your point, would you ?
The point I was trying to make is that in close to 2 decades of my
somewhat volatile home setup all on a 192.168.nn.nn address, and with
the exception in my sig being the only forward in the dd-wrt rules, and
apache2 is running in a sandbox to serve my web page, the only person to
gain access to this network and machine was given the username and
password to do so by me. My only problem has been someone else logging
into one of the wifi's, which are not bridged to this net, but to the
internet, and using up more bandwidth in a month than I do. Still under
my cap by quite a ways, but...
So since I don't use the radios. ATM all the radios are turned off, they
aren't needed until one of my boys comes to visit with a smartphone and
needs net access.
Take it for what you think its worth. It does work for me.
IMO, those without a reflashed router running dd-wrt or one of the
work-a-likes between their machines and the internet, running all their
machine on un-routable addresses, is a bit dumb, asking for trouble, and
it will find them sooner rather than later unless they've built their
Yes, there are $35 routers that can be updated to dd-wrt, I have such a
netgear. But dd-wrt has stuff there is not room for in the more memory
limited $35 model, 100% configurable port forwarding being on the
missing list, so the netgear has logged a couple weeks when the buffalo
Take care Pascal.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>