Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Saturday 22 September 2018 14:27:44 Dan Ritter wrote:

> On Sat, Sep 22, 2018 at 04:52:40PM +0200, Pascal Hambourg wrote:
> > Le 22/09/2018 à 13:31, Dan Ritter a écrit :
> > > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:
> > > > I do not see how all this replies to my question :
> >
> > This comment was intended to Gene Heskett.
> >
> > > > Why should only TCP inbound responses be allowed ? What about
> > > > UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> > > > messages, and so on ?
> > >
> > > Given that my entire point was that no firewall policy other
> > > than "configure it yourself" will work, it's really you missing
> > > the point to expect me to describe a complete firewall policy
> > > tuned to your desires.
> >
> > It does not matter what you entire point was, and I do not expect
> > you to describe a complete firewall policy. *You* exposed a
> > supposedly default firewall policy which I happened to find
> > questionable, so I questioned it.
>
> You should certainly find it questionable,
>
> > You would not have exposed a broken firewall policy on purpose in
> > order to prove your point, would you ?
>
> Wouldn't I?
>
> I am explicitly describing a firewire policy for the sake of
> argument, and in no way advocating it. In fact, the ENTIRE
> FREAKING POINT WHICH I HAVE MADE TWICE NOW is that I am *not*
> advocating it.
>
> Do not use this firewall policy. If Debian were to do the stupid
> thing of instituting a default firewall policy other than what
> it doesn't do now, I would hope for a several month long debate
> in debian-developers about what it should be.
>
> -dsr-

I would certainly hope so, AND give due consideration to just how big a 
headache any change means for the users.

Rant mode on

They have over the last two "upgrades" from wheezy to jessie and on to 
stretch, totally disabled any attempts to forward x to another machine, 
I suppose based on someones idea of security and my questions about 
fixing that pain in the arse, so it works once again, have been totally 
ignored.  They HAVE been asked, but never acknowledged with the courtesy 
of even a reply with a link to a tut.

We build (some buy) computers for us to use, and now if I want to edit 
gcode on another machine from a comfortable office chair, I am 
restricted to nano. Or going to that machine and standing at its 
operating position just to be able to use a decent editor.

That is not fun when one is 2 weeks short of his 84th, and have 2 crushed 
disc's in my lower back limiting me to not more than an hour/day. Its 
very hard to concentrate on the code when your back is screaming at you.

But someone with the power to "make it so" hides behind the word 
security, never deigning to explain it where the user public gets to 
read it. There is something drastically wrong with that picture when we 
don't get a choice, or a say in it.

/rant

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>