Re: Why does Debian allow all incoming traffic by default

To: debian-user@lists.debian.org
Subject: Re: Why does Debian allow all incoming traffic by default
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 20 Sep 2018 23:44:04 -0400
Message-id: <[🔎] 20180921034404.epkm6ujvttyrbolx@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] a38e44fe-dd83-c06f-3c3e-49043cd8382f@gmail.com>
References: <[🔎] da96e6a3-ac34-8d4f-7784-4776e95aee5f@gmail.com> <[🔎] 20180921032131.b5ikrposbup7tmix@connexer.com> <[🔎] a38e44fe-dd83-c06f-3c3e-49043cd8382f@gmail.com>

On Fri, Sep 21, 2018 at 09:02:26AM +0530, Subhadip Ghosh wrote:
> Hi Roberto,
> 
> On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote:
> > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > Hi,
> > > 
> > > I am using Debian and the recently I learned that a standard Debian
> > > installation allows all 3 types of traffics especially incoming by default.
> > What do you mean by "all 3 types of traffics"?
> Incoming, Outgoing and Forward

I see.

Blocking incoming and forwarded traffic would probably not be surprising
to many people.  However, blocking outgoint traffic would be exceedingly
confusing to many people.

> > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > the reasons behind the choice of this default behaviour and if it makes the
> > > system more vulnerable?
> > The behavior you observe is likely because that is the best default that is
> > universally applicable.
> But does it make the system more vulnerable in any way to attacks over the
> network? And how will a new Debian user would know of this behaviour? I
> don't even see it mentioned on the Stretch Installation manual anywhere.

I see.  Perhaps the Debian Administrator's Handbook, Chapter 14 is what
you are looking for:

https://www.debian.org/doc/manuals/debian-handbook/security.en.html

While there is possibly an argument that not configuring a firewall by
default introduces some vulnerability, it is equally valid to argue that
there are no sensible default firewall policies that can be put into
place without a defined threat model.

I suspect that the vast majority of people deploying systems are doing
so behind some sort of device that provides border security to the local
network (e.g., router/firewall/NAT/etc.).  So, if the default threat
model is "a relatively trusted network with adequate border security"
then the current default is appropriate.

Those who deploy systems directly to a location where they are in
immediate contact with the public Internet should already understand the
ramifications of that decision and tailor their installation process
accordingly.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Why does Debian allow all incoming traffic by default
  - From: deloptes <deloptes@gmail.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: Subhadip Ghosh <subhadip.sky@gmail.com>

References:
- Why does Debian allow all incoming traffic by default
  - From: Subhadip Ghosh <subhadip.sky@gmail.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Why does Debian allow all incoming traffic by default
  - From: Subhadip Ghosh <subhadip.sky@gmail.com>

Prev by Date: Re: Why does Debian allow all incoming traffic by default
Next by Date: Re: using a Windows 7 disk image with KVM?
Previous by thread: Re: Why does Debian allow all incoming traffic by default
Next by thread: Re: Why does Debian allow all incoming traffic by default
Index(es):
- Date
- Thread