Re: Why does Debian allow all incoming traffic by default
On Fri, Sep 21, 2018 at 09:02:26AM +0530, Subhadip Ghosh wrote:
> Hi Roberto,
>
> On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote:
> > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > Hi,
> > >
> > > I am using Debian and the recently I learned that a standard Debian
> > > installation allows all 3 types of traffics especially incoming by default.
> > What do you mean by "all 3 types of traffics"?
> Incoming, Outgoing and Forward
I see.
Blocking incoming and forwarded traffic would probably not be surprising
to many people. However, blocking outgoint traffic would be exceedingly
confusing to many people.
> > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > the reasons behind the choice of this default behaviour and if it makes the
> > > system more vulnerable?
> > The behavior you observe is likely because that is the best default that is
> > universally applicable.
> But does it make the system more vulnerable in any way to attacks over the
> network? And how will a new Debian user would know of this behaviour? I
> don't even see it mentioned on the Stretch Installation manual anywhere.
I see. Perhaps the Debian Administrator's Handbook, Chapter 14 is what
you are looking for:
https://www.debian.org/doc/manuals/debian-handbook/security.en.html
While there is possibly an argument that not configuring a firewall by
default introduces some vulnerability, it is equally valid to argue that
there are no sensible default firewall policies that can be put into
place without a defined threat model.
I suspect that the vast majority of people deploying systems are doing
so behind some sort of device that provides border security to the local
network (e.g., router/firewall/NAT/etc.). So, if the default threat
model is "a relatively trusted network with adequate border security"
then the current default is appropriate.
Those who deploy systems directly to a location where they are in
immediate contact with the public Internet should already understand the
ramifications of that decision and tailor their installation process
accordingly.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: