On 8/4/20, Dan Ritter <d...@randomstring.org> wrote: > mick crane wrote: >> I've never really understood firewalls. I think the idea is that they >> don't >> let anything in that wasn't requested but if you go on a website there >> are >> so many hundreds of scripts looking at this and that who knows what >> happens. > > I notice you didn't ask a question, but I'll answer it anyway. > > Near the bottom of the stack of networking is a link layer. For > ethernet and related protocols, that means that there's an > address for each interface -- ethernet calls it the MAC address. > > If you build a firewall to intercept at this level, you can stop > traffic from specific local sources. That's it. There are > situations where we do this -- layer 2 firewalling -- but they > aren't very common. > > The next layer up, called layer 3, is IP addressing. IP > connections involve IP addresses and IP subprotocols: UDP, TCP, > and so forth. This is where most firewalls operate. An L3 > firewall usually starts with a generic directive to drop all > traffic that it doesn't specifically allow, and then has a list > of what to allow to each or all addresses being protected. > > So: you can stop all DNS traffic from Cloudflare, but you can't > drop JavaScript embedded in a web page from Google. > > To do that, you need what is generically called an > application-layer firewall, and those are usually set up on > individual machines -- though they don't have to be -- and are > frequently supplied with extensive, rapidly-updated block lists. > > Some of them you even run *inside* your web browser: uBlock > Origin, for example. Highly recommended. > > -dsr- > > P.S. you may be wondering why the numbering goes 2, 3, > "application". This is because: > > a) the OSI 7-layer model doesn't actually represent real > networks in this universe > b) everything above layer 3 is kind of squishy > c) most firewalls are actually reflecting the owner's policies > in layers 8 and 9 of the 7-layer model: religion and politics.
Thanks a lot, Dan. That was extremely educative (and beautiful). If I can ask: which is the situation, in this aspect, in a plain plain/straightforward Debian (net)installation? Let's say: what's the by-default setting of the system? Regards