Re: firewall package for laptop wi-fi client

To: debian-user@lists.debian.org
Cc: joe@jretrading.com
Subject: Re: firewall package for laptop wi-fi client
From: Celejar <celejar@gmail.com>
Date: Tue, 25 Jan 2011 22:26:35 -0500
Message-id: <[🔎] 20110125222635.2c097ed7.celejar@gmail.com>
In-reply-to: <[🔎] 20110125215802.5edc392b@jresid.jretrading.com>
References: <[🔎] 20110103095545.GB3539@rlharris.org> <[🔎] 4D21B2D9.3050501@googlemail.com> <[🔎] 20110104111906.GK6404@think.homelan> <[🔎] 20110104093152.46997afrbqyd622o@mail.kalinowski.com.br> <[🔎] 20110104225514.GD2997@think.homelan> <[🔎] 20110105094938.422675hp301k9hxc@mail.kalinowski.com.br> <[🔎] 20110105205427.GK2997@think.homelan> <[🔎] 20110106091228.62212kmd5i5gjhj4@mail.kalinowski.com.br> <[🔎] 20110107181857.GA3162@think.homelan> <[🔎] 20110107162316.156747g2ggxlzwus@mail.kalinowski.com.br> <[🔎] 20110107185344.GG3162@think.homelan> <[🔎] pan.2011.01.07.19.51.59@gmail.com> <[🔎] 20110124155733.9d35ca3e.celejar@gmail.com> <[🔎] pan.2011.01.25.12.51.14@gmail.com> <[🔎] 20110125150036.3fa2c090.celejar@gmail.com> <[🔎] 20110125215802.5edc392b@jresid.jretrading.com>

On Tue, 25 Jan 2011 21:58:02 +0000
Joe <joe@jretrading.com> wrote:

> On Tue, 25 Jan 2011 15:00:36 -0500
> Celejar <celejar@gmail.com> wrote:
> 
> > On Tue, 25 Jan 2011 12:51:15 +0000 (UTC)
> > Camaleón <noelamac@gmail.com> wrote:
> > 
> >> > 
> > > In this scenario, the "LAN" and the "WAN" are at the same "hostile"
> > > level and so both should be treated. Why should you accept
> > > incomming ssh traffic from the "hostile lan/wan"? I shouldn't...
> > > unless:
> > 
> > Exactly my point - that personal firewall 'profiles' are less useful
> > than they might appear at first blush, since you pretty much need to
> > treat all traffic, even 'local' traffic, as dangerous when behind a
> > NAT router.
> > 
> 
> A laptop will not normally be offering services, so a very basic

My laptop offers lots of services:

~# nmap localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-25 18:49 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000022s latency).
Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
631/tcp  open  ipp
3128/tcp open  squid-http
9999/tcp open  abyss

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

[ssh, Exim, dnsmasq, CUPS, privoxy, approx]

although it can be argued that most of these are intended for use by
localhost only, so we can / should block all remote access to them.

> iptables setup should be adequate everywhere. I have a second profile
> which allows only DHCP, DNS and VPN packets out to the LAN, and once a
> VPN is established, DNS goes over it anyway and the default gateway
> switches to the VPN server.
> 
> This is pretty much equivalent to the Windows 'send all traffic via the
> remote server' option, and I use it both on foreign LANs and on mobile
> Internet if I need to do anything sensitive. If I just want email
> access, ssh into my server is enough, using the standard profile.
> 
> All the public wi-fi systems I've tried seem to block most protocols, so
> neither ssh nor VPN is possible, and I've given up trying them. Maybe
> I'm paranoid, but every time I read about some obscure, devious attack
> technique that I would never have believed possible, or exploitable
> software bug, I get that little bit more paranoid...
> 
> I use RADIUS/EAP-TLS at home, but I can see how that might not be
> practical in a pub or cafe.

Interesting, thanks.

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to:

References:
- Re: firewall package for laptop wi-fi client
  - From: "Russell L. Harris" <rlharris@broadcaster.org>
- Re: firewall package for laptop wi-fi client
  - From: "tv.debian@googlemail.com" <tv.debian@googlemail.com>
- Re: firewall package for laptop wi-fi client
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: firewall package for laptop wi-fi client
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: firewall package for laptop wi-fi client
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: firewall package for laptop wi-fi client
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: firewall package for laptop wi-fi client
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Camaleón <noelamac@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Celejar <celejar@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Camaleón <noelamac@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Celejar <celejar@gmail.com>
- Re: firewall package for laptop wi-fi client
  - From: Joe <joe@jretrading.com>

Prev by Date: Weird server mystery: self-reset, mostly
Next by Date: Linux disk partition encryption
Previous by thread: Re: firewall package for laptop wi-fi client
Next by thread: Re: firewall package for laptop wi-fi client
Index(es):
- Date
- Thread