Re: firewalls

To: debian-user@lists.debian.org
Subject: Re: firewalls
From: riveravaldez <riveravaldezmail@gmail.com>
Date: Tue, 4 Aug 2020 22:56:21 -0300
Message-id: <[🔎] CAD8U+g_zeLiMmA_xZ2tuRqtgLjaP=n0782nKg1Cfb-t2rrsTYQ@mail.gmail.com>
In-reply-to: <[🔎] 20200804235108.GD14725@randomstring.org>
References: <be6d92977b81af70123b01b8238cb63d.ref@gmail.com> <[🔎] be6d92977b81af70123b01b8238cb63d@gmail.com> <[🔎] 20200804235108.GD14725@randomstring.org>

On 8/4/20, Dan Ritter <dsr@randomstring.org> wrote:
> mick crane wrote:
>> I've never really understood firewalls. I think the idea is that they
>> don't
>> let anything in that wasn't requested but if you go on a website there
>> are
>> so many hundreds of scripts looking at this and that who knows what
>> happens.
>
> I notice you didn't ask a question, but I'll answer it anyway.
>
> Near the bottom of the stack of networking is a link layer. For
> ethernet and related protocols, that means that there's an
> address for each interface -- ethernet calls it the MAC address.
>
> If you build a firewall to intercept at this level, you can stop
> traffic from specific local sources. That's it. There are
> situations where we do this -- layer 2 firewalling -- but they
> aren't very common.
>
> The next layer up, called layer 3, is IP addressing. IP
> connections involve IP addresses and IP subprotocols: UDP, TCP,
> and so forth. This is where most firewalls operate. An L3
> firewall usually starts with a generic directive to drop all
> traffic that it doesn't specifically allow, and then has a list
> of what to allow to each or all addresses being protected.
>
> So: you can stop all DNS traffic from Cloudflare, but you can't
> drop JavaScript embedded in a web page from Google.
>
> To do that, you need what is generically called an
> application-layer firewall, and those are usually set up on
> individual machines -- though they don't have to be -- and are
> frequently supplied with extensive, rapidly-updated block lists.
>
> Some of them you even run *inside* your web browser: uBlock
> Origin, for example. Highly recommended.
>
> -dsr-
>
> P.S. you may be wondering why the numbering goes 2, 3,
> "application". This is because:
>
> a) the OSI 7-layer model doesn't actually represent real
>    networks in this universe
> b) everything above layer 3 is kind of squishy
> c) most firewalls are actually reflecting the owner's policies
> in layers 8 and 9 of the 7-layer model: religion and politics.

Thanks a lot, Dan.

That was extremely educative (and beautiful).

If I can ask: which is the situation, in this aspect, in a plain
plain/straightforward Debian (net)installation? Let's say: what's the
by-default setting of the system?

Regards

Reply to:

Follow-Ups:
- Re: firewalls
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: firewalls
  - From: Dan Ritter <dsr@randomstring.org>

References:
- firewalls
  - From: mick crane <mick.crane@gmail.com>
- Re: firewalls
  - From: Dan Ritter <dsr@randomstring.org>

Prev by Date: how to quickly recover buster boot loader
Next by Date: Re: Homebuilt NAS Advice
Previous by thread: Re: firewalls
Next by thread: Re: firewalls
Index(es):
- Date
- Thread