C'mon guys, you spend way too much time discussing packet filtering rules and programs for a machine which is hooked up via modem. Of course you can avoid things that "might happen" when dialed up or connected to some public wifi. From my point of view: Leave it as it is! I'm far beyond the point where I "need" some bleeding edge Gentoo system on my laptop which is protected by some 80 line iptables setup. Nowadays I have Lubuntu w/o any packet filtering. And there is some public IPv6 in my private network. You should rather worry if the announced gateway at the public library is the real one ;) Mit freundlichen Grüßen Lukas Th. Hey Kommunales Rechenzentrum Minden-Ravensberg / Lippe Tel.: 05261 / 252-363 E-Mail: l.hey@krz.de http://www.krz.de Immer up to date sein? update newsletter hier abonnieren! Besuchen Sie den krz- Adventskalender Bitte prüfen, ob diese Mail wirklich ausgedruckt werden muss! -----Ursprüngliche Nachricht----- Von: Jérémie Marguerie [mailto:jeremie@marguerie.org] Gesendet: Sonntag, 8. Dezember 2013 20:03 An: Riku Valli Cc: Jordon Bedwell; Debian Betreff: Re: End-user laptop firewall available? On Sun, Dec 8, 2013 at 9:56 AM, Riku Valli <riku.valli@vallit.fi> wrote: > Thats true, but if we speaking about firewall rules. Every rule where > source, destination or ports are any means at rule and firewall is > most in cases a useless and this is true most in time a laptop/desktop. > > When somebody gain root access via vulnerability and this kind of rule. > Hs/she owns your host and firewall. > > Normal Debian installation uses only avahi/mdms port udp 5353. Others > example cups listen only localhost, but most of users install sshd > which isn't intalled default. Exim ask which kind configuration, but > default is listen only localhost. That is what tasksel offer at > default installation. > > <sarcasm> > If you don't trust your own host. I recommed use snort, aide, > policykit or selinux or apparmor and audit at least with you firewall > :) </sarcasm> Security in depth is always useful. You'll always have risks of someone finding a way to go around the security you've put in place. You just want to make it as hard as possible in an adequate amount of time. -- Jérémie MARGUERIE -- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/CAKS89Gq_b4ydveGC2GEqHh2fZz_ynNXmx0CUXqL=MnW8nd3A@mail.gmail.com
Attachment:
smime.p7s
Description: S/MIME cryptographic signature