Le mardi 15 juillet 2014 à 17:43 -0400, Justin Vallon a écrit : > I don't think turning off the firewall is a sane default.
I don't advise to turn it off for everything. I am trying to find a good compromise. > Your > arguments based on "global addressability" are false because IPv4 can be > globally addressable, if you want. You can get static ip addresses (or > a subnet), turn off NAT, and turn off the firewall - every "internal" > network device will be on the public internet. Yes (even if I don't understand why you are talking about "static" addressing; it could work with DHCP the same) but you are talking about people who are able to be routed a public IPv4 prefix, which is very few people today, and will be almost nobody in the future because of IPv4 address space depletion. I assume almost every user of OpenWRT is a “home” user and I believe none of them are offered such a possibility by there ISP (well, I happen to have this possibility with my ISP, but it is a very tiny exception, and I don't even use it). > You say: "A general principle is that a service should not be bound on > a globally reachable address if it is not meant to be globally > accessible." If my desktop is given an IPv6 address, are all of my > services now globally addressable? Yes. > If yes, I have opened up all local > services (oops). Well, if you didn't want them to be accessible, you have many possibilities: bind it on some non-global address (LL, ULA), restrict it locally (/etc/hosts.deny when appropriate, custom configuration that limit access to some range, etc), use some authentication, configure your firewall appropriately (on the targeted machine or on your router), … The thing here, is to find a _default_: you are imagining a case where every service should be blocked from outside access by default. But I would like my telephony programs, my P2P clients, my local daemons that I run for friends (local git repos, experimental web apps,…), my different servers that listen on different addresses, etc, to be accessible by default. It seems to me that there are far more use cases for allowed access by default than forbidden access. The thing is, these use cases are not very common today because there is no equivalent in IPv4 (practically): you cannot have “accessible by default” in today NATed IPv4. > If no, do I need a "locally addressable" and "globally > addressable" IPv6 space for each device & service, so that I can choose > which services I consider internal (my printer, my smb share) vs > external (my web server)? Yes, this is one possibility. OpenWRT even have by default an ULA prefix configured for delegation on the local network! (BTW, there is a bug that make it configure the /60 on the lan by default, I couldn't trace its origin) Or you could use one of the means I listed. Comprising configuring OpenWRT's firewall. But what should be the default? Is your use case representing what would be globally the right solution? Of course, a lot of people on this ML are thinking in terms of “I can configure my firewall myself”, but this is not the case of the casual users. And I think that in the end, there are far more casual users of OpenWRT that one think if you take into account people that will use your router to access the Internet: these are the ones that will be blocked to run whatever software they want. > That is pushing the security problem to the > "terminal" devices. And this is exactly what the end-to-end argument is about! http://en.wikipedia.org/wiki/End-to-end_principle But I don't want to remove the possibility to secure you network at the edge; I just want to say that by default, we could block only a small portion of traffic and let the less security-problematic one flow. Everyone has the possibility to forbid some traffic at the edge by configuring its firewall. By the way, when we talk about restrict the use of some port, we automatically forbid IPsec (RFC 4301 <http://tools.ietf.org/html/rfc4301>) and Mobile IPv6 (RFC 6275 <http://tools.ietf.org/html/rfc6275>), which are layer 3 protocols that don't bother about ports. It is a bit sad when we are forbidding some traffic for “security”. > > I do not understand what the principle of least privilege has to do > here. “Forbidden by default” is not about privileges. > > Privilege here is the right to do something; with respect to networking: > open a connection to any host, open a connection to a specific host, > allow incoming connections from any host. Principle of least privilege > means that you only allow what is required - default is to restrict, not > allow. Privileges are granted where necessary, instead of taken away > when abused. Why would you immediately talk about abuses? When one is talking about connecting to someone, that means that your correspondent has allowed traffic to flow in. Was your correspondent abused? No, he willingly bound some software to some address, and offered a service. Should this “privilege” be granted only to a few? I don't think so. This is one reason we have a so asymmetric Internet today: people are not “allowed” to run their software on their machine to be contacted by whoever they want. Instead, they have to rely on some intermediary that will offer them this possibility (think about all the HTTP kludges to get traffic to flow to you asynchronously). Of course, I am talking about something bigger that just the people who set up OpenWRT boxes, but as OpenWRT is a leader in what is done in home routers today, I thing we should think bigger than only the community of routers' hackers. > Here, incoming connections represent a security risk > (hackers), I don't see it that way. This is, as I already said, a very big presupposition that has a lot of consequences on how the Internet works. And hackers very well do there thing today without incoming connections allowed. > and mitigation is that it becomes a privilege (to be > earned). This is the problem to me: every sysadmin think that people that use their network must “earn” some “privileges” to be able to receive connections. The myth that people will abide has been so many times debunked by so many technologies and architectures that work around it that it becomes sad. > By default, incoming connections are not allowed, and uPNP > (etc) is used to request (and grant) that privilege. As had been shown many times <http://en.wikipedia.org/wiki/UPnP#Problems_with_UPnP>, using UPnP does not improve the situation much. The problem of binding or not to a global address (or using or not a restriction mechanism) translate to configuring or not UPnP: people not knowledgeable won't really understand and will run UPnP that will open the port on the firewall, so your firewall is “useless”. People that know could have as well blocked the service themselves. In the mean time, we will have PCP to bring the same functionality to IPv6, but we have to find some sane default anyway. -- benjamin _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
