[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why does Debian allow all incoming traffic by default

	Hi.

On Fri, Sep 21, 2018 at 07:14:03PM +0100, Brian wrote:
> On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote:
> 
> > 	Hi.
> > 
> > On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > > Hi,
> > > > 
> > > > I am using Debian and the recently I learned that a standard Debian
> > > > installation allows all 3 types of traffics especially incoming by default.
> > > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > > the reasons behind the choice of this default behaviour and if it makes the
> > > > system more vulnerable? I tried searching on the Internet but did not get
> > > > any satisfactory explanation. It will be helpful if anybody knows the
> > > > answers to my questions or can redirect me to a helpful document.
> > > > 
> > > 
> > > The answer is easy. Because Debian is awesome (TM). So are most other
> > > distributions.
> > 
> > Hear, hear.
> > 
> > > Run a netstat -t -l and you will see there is nothing listening. So what is
> > > the point of running a firewall?
> > 
> > The point is to be a good netizen, as always. By running any sane kind of
> > packet filter you're avoiding participating in TCP RST attack.
> 
> How do you do attack when (as Henning Follmann says) nothing is listening?

TCP RST attack requires exactly that. That, and an absence of a
firewall.

> There is no point with a standard Debian installation (which is what the
> OP inquired about). Debian is already a good netizen.

Good person makes a TCP connection to unprotected (as in - no firewall
interference) host. Since there's nothing on a host that does not listen
appropriate TCP port - host's kernel sends back TCP RST packet.
Good person's connection terminates, everyone's happy. That's how it
goes in your typical LAN.

Evil person makes a TCP connection to unprotected host, but forges
source IP. Host sends TCP RST to this forged IP, host acting as a
'reflector' to an attack. And being a bad netizen at the same time.

Evil person takes as many of such hosts as possible - and there goes
your old-fashioned RST DDOS.

I recall that you've stated that your servers do not run any kind of
packet filter. So, just in case - one cannot harm the reflector that
way.


So, in this regard Debian is imperfect, but at least they give you right
tools to solve the problem (iptables suite), and do not force braindead
firewall policies by default (like RHEL does).

Reco
Reply to: