On Saturday 22 September 2018 03:34:45 Pascal Hambourg wrote:
Le 21/09/2018 à 19:09, Dan Ritter a écrit :
Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:
- outbound: permit
- forward: deny
- inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
response to an outbound packet
Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?
Because you can set an ntp corrected machine as a broadcaster
Why should only TCP inbound responses be allowed ? What about
UDP-based protocols, ping replies (ICMP echo reply), ICMP error
messages, and so on ?
I probably should have iptables running on all my machines, but in 15
years, only one person as gotten thru dd-wrt to this machine, and I had
to give him the login credentials, I needed help configuring something,
on a long since replaced fedora install. So there is no firewall
enabled on any of the machines here. And because everytime Andrew
Triggel sits down at a keyboard cifs dies, same for NFS, I've found that
ssh and sshfs as local networking tools Just Work, so I don't have to
putz near as much with access maintenance. No NFS shares, no sammba/cifs
shares. And life is so much simpler.
Computers should work for you, not the other way around, forcing you to
remember how to push 17 buttons just to answer an incoming email. This
message only required 1 button click and all this typing. Everything
else is handled automatically by scripts.