Re: Why does Debian allow all incoming traffic by default

2018-09-27 Thread Pascal Hambourg 

Le 23/09/2018 à 10:41, Joe a écrit :

On Sat, 22 Sep 2018 17:07:59 +0200
Pascal Hambourg  wrote:


PPTP does require specific NAT support for the GRE protocol.
Use case : two clients of the same PPTP server share the same public
IP address.


It doesn't work, see below.


It can work if and only if the NAT device has specific support for PPTP.
The GRE header used by PPTP contains a "Call ID" field which acts as a 
sort of destination port and can be used to associate the packet with an 
existing PPTP session.



The second
person to make the attempt could not make contact until about two
minutes after the first had disconnected.


Yes, until the GRE mapping created for the previous session has expired.


The server sends a GRE packet to the public IP address. How does the
NAT device know which client the packet must be forwarded to ?


Because NAT requires the maintenance of a table of connections, with
source and destination IP addresses, which is exactly what is required
by both stateful firewalling and connection tracking. In this case, for
the first GRE packet, it is connection tracking which uses the table
data to route the packet to the machine with an existing TCP/1723
connection from the same source address.


If the NAT layer has no specific support for PPTP, there is no 
relationship between the TCP control connection and the GRE streams. If 
the first GRE packet is sent by the PPTP server, it is just discarded by 
the NAT box because no mapping exists yet. The first GRE packet sent by 
a private client creates a NAT mapping which is used to forward 
subsequent packets sent by the server.



What you can't do with PPTP is make multiple connections between the
same two NAT machines, for this same reason, because GRE doesn't have
the means for being tied to one particular TCP/1723 path. It doesn't
carry the same meta information as does the TCP protocol.


Actually it does, as I mentioned above. When establishing a session over 
the TCP control connection, the client and server exchange "Call ID" 
numbers which are present in the header of the GRE packets sent within 
that session. The Call ID field can be used by NAT as a destination port.


AFAIK, Netfilter PPTP/GRE conntrack and NAT helper modules use it.

Re: Why does Debian allow all incoming traffic by default

2018-09-26 Thread Jonathan Dowland 

On Wed, Sep 26, 2018 at 04:07:33PM +0100, Joe wrote:

You're only moving the problem around. Some completely standard piece of
code *somewhere* has to know what is the right place to insert such a
rule. I'll give you an example: neither the beginning nor the end of my
INPUT chain is the right place, because I do some catch-all stuff about
RELATED and INVALID at the beginning of the chain, and some assorted
logging at the end. I don't want anything placed before or after those
parts. In fact, the right place for my server firewall isn't in the
INPUT chain at all, but in one of a few custom chains.


Exactly, it would not be worth attempting to support meshing your setup
with the system I sketched out. This is exactly the situation where I'd
say you go it alone instead, exactly as you do now.


--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-26 Thread Joe 
On Wed, 26 Sep 2018 14:39:41 +0100
Jonathan Dowland  wrote:

> On Mon, Sep 24, 2018 at 08:21:55PM +0100, Joe wrote:
> >And there you have the problem: it would be necessary for the
> >installation of certain packages (e.g. MTA) to automatically poke
> >holes in the firewall.  
> 
> We agree this far.
> 
> > For this to be practical, a completely standardised
> >iptables architecture would be necessary, with limited user
> >customisation. That's how Windows does it.  
> 
> This is where we disagree. What would be needed would be a standard
> interface for a package to say "open this port", that was implemented
> by the iptables (say) package by default, but, if you were writing a
> very DIY ruleset, you could override the iptables-package's
> implementation and provide one yourself (or ignore the package hooks
> if you wished).
> 
You're only moving the problem around. Some completely standard piece of
code *somewhere* has to know what is the right place to insert such a
rule. I'll give you an example: neither the beginning nor the end of my
INPUT chain is the right place, because I do some catch-all stuff about
RELATED and INVALID at the beginning of the chain, and some assorted
logging at the end. I don't want anything placed before or after those
parts. In fact, the right place for my server firewall isn't in the
INPUT chain at all, but in one of a few custom chains.

There could be a standard custom chain in which such rules were
inserted so that they all arrived at a place to suit the user, but my
point is that enough such hooks must be defined and honoured to cover
all reasonable use cases. This is a significant project, one which
involves all IP-aware packages, and I don't think there is *yet*
sufficient need to justify the resources to do it right.

-- 
Joe

Re: Why does Debian allow all incoming traffic by default

2018-09-26 Thread Jonathan Dowland 

On Mon, Sep 24, 2018 at 03:27:51PM -0400, Henning Follmann wrote:

And there are also reasons not to install by default one. And this is
what the OP was about. The default is to not install listening
services a thus no need for a firewall.


You must have misread or misunderstood my message, because the point I
was making was that the point of a firewall was not just to protect you
from the things you *know* are listening, but the scenarios I outline
where you have things happening you *don't* know about.


Any  default firewall would then force maintainers of packages to test
for the default firewall and if present inject a default rule to make
the service available. Otherwise you will have endless rants about
"why is my ssh not working.." etc.


Yes, we'd need an inter-package scheme for opening service ports when
packages were installed (or services enabled, a subtle distinction). I
outline a high-level approach to that in my last email to this thread (a
reply to Joe).

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-26 Thread Jonathan Dowland 

On Mon, Sep 24, 2018 at 08:21:55PM +0100, Joe wrote:

And there you have the problem: it would be necessary for the
installation of certain packages (e.g. MTA) to automatically poke holes
in the firewall.


We agree this far.


For this to be practical, a completely standardised
iptables architecture would be necessary, with limited user
customisation. That's how Windows does it.


This is where we disagree. What would be needed would be a standard
interface for a package to say "open this port", that was implemented by
the iptables (say) package by default, but, if you were writing a very
DIY ruleset, you could override the iptables-package's implementation
and provide one yourself (or ignore the package hooks if you wished).


Fine for Brian, and others who use no firewall at the moment, not so
good for anyone with an existing hand-made set of iptables rules. My
netbook, for example, has three sets of rules which are selected
according to the environment and whether a VPN is in use. My server has
a set of rules appropriate to a network firewall plus VPN server, with
suitable named chains and 'subroutine' structure. All of this would be
swept away by a standard firewall structure, and would need to be
rebuilt in conformance with the standard. Such a standard would have to
encompass all possible use-cases, including multiple NICs and multiple
VPN arrangements. Any volunteers?


The approach I outline above would mean you would have the choice of
reworking your configuration to work in harmony with the new
arrangement, or override and ignore it, and continue as you are.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Henning Follmann 
On Mon, Sep 24, 2018 at 07:39:59PM +0100, Jonathan Dowland wrote:
> On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > Run a netstat -t -l and you will see there is nothing listening. So
> > what is the point of running a firewall?
> 
> There's plenty of reasons to run a firewall even if you think you are
> not running any services. You may be mistaken; a service may be started
> without your knowledge, either in error or as an unintended consequence
> of something you have done (install/run another piece of software); or,
> a third party may have acquired access to your machine in some way and
> attempted to run a backdoor process to listen for incoming connections.
> 
And there are also reasons not to install by default one. And this is what
the OP was about. The default is to not install listening services a thus
no need for a firewall. Any  default firewall would then force
maintainers of packages to test for the default firewall and if present
inject a default rule to make the service available. Otherwise you will
have endless rants about "why is my ssh not working.." etc.

-H



-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Joe 
On Mon, 24 Sep 2018 19:52:39 +0100
Jonathan Dowland  wrote:

> On Sat, Sep 22, 2018 at 05:12:38AM -0400, Gene Heskett wrote:
> >Because you can set an ntp corrected machine as a broadcaster,
> >therefore reducing the load on the tier 2 servers such as debian
> >maintains by using their pool.debian.org or the tier 1 servers at
> >pool.ntp.org. That way I have 7 machines here, all synchronized to
> >the first or 2nd tier of time servers on the planet. This machine is
> >a slave to my router, it broadcasts to the other 6 machines, so I
> >have all synched and well within a millisecond.  
> 
> You certainly can, but is that really a use-case that a hypothetical
> default firewall should service? I don't think so. If you are setting
> such a thing up you should be expected to punch the requisite holes in
> the default firewall as part of that work.
> 

And there you have the problem: it would be necessary for the
installation of certain packages (e.g. MTA) to automatically poke holes
in the firewall. For this to be practical, a completely standardised
iptables architecture would be necessary, with limited user
customisation. That's how Windows does it. 

Fine for Brian, and others who use no firewall at the moment, not so
good for anyone with an existing hand-made set of iptables rules. My
netbook, for example, has three sets of rules which are selected
according to the environment and whether a VPN is in use. My server has
a set of rules appropriate to a network firewall plus VPN server, with
suitable named chains and 'subroutine' structure. All of this would be
swept away by a standard firewall structure, and would need to be
rebuilt in conformance with the standard. Such a standard would have to
encompass all possible use-cases, including multiple NICs and multiple
VPN arrangements. Any volunteers?

-- 
Joe

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Jonathan Dowland 

On Sat, Sep 22, 2018 at 04:15:42PM -0400, Gene Heskett wrote:

But someone with the power to "make it so" hides behind the word
security, never deigning to explain it where the user public gets to
read it. There is something drastically wrong with that picture when we
don't get a choice, or a say in it.


Please assume good faith on the part of the developers who have made
whichever change it is that has broken the behaviour that you relied
upon in prior Debian releases, did so for well-defined reasons. It's
not fair to the developers, likely volunteers, to be described in
negative terms such as "hiding" and so on.

I don't know to where you have asked the questions that were totally
ignored in your words, but a reasonable place to do so would be this
very mailing list here. Please feel free to ask again.


/rant


Indeed.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Jonathan Dowland 

On Sat, Sep 22, 2018 at 05:12:38AM -0400, Gene Heskett wrote:

Because you can set an ntp corrected machine as a broadcaster, therefore
reducing the load on the tier 2 servers such as debian maintains by
using their pool.debian.org or the tier 1 servers at pool.ntp.org. That
way I have 7 machines here, all synchronized to the first or 2nd tier of
time servers on the planet. This machine is a slave to my router, it
broadcasts to the other 6 machines, so I have all synched and well
within a millisecond.


You certainly can, but is that really a use-case that a hypothetical
default firewall should service? I don't think so. If you are setting
such a thing up you should be expected to punch the requisite holes in
the default firewall as part of that work.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Jonathan Dowland 

On Fri, Sep 21, 2018 at 01:09:35PM -0400, Dan Ritter wrote:

The basic reason is this: it makes sense.


Yours (and Roberto's) reasons are, I think, post-hoc rationalisations.

IMHO the real reason is nobody has successfully made the case and/or
implementation of a decent default firewall for Debian, not that there's
no case to be made.

It's probably a contentious enough decision that it would require some
bureaucratic machinery to determine whether the project, as a whole,
agreed that there should be one or not. But that hasn't happened yet (in
either direction)

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Jonathan Dowland 

On Fri, Sep 21, 2018 at 06:04:59PM -0400, songbird wrote:

 whenever i install a new system i include ufw (a firewall
program) just to catch any funny stuff that might try to
come through.


Another vote for ufw from me. It's certainly easier for the simple
use-cases than raw iptables (and has some nicer properties), I think
it's also significantly nicer than firewall-cmd, a similar tool that
has a much worse UX for the simplest case.


--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Jonathan Dowland 

On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:

Run a netstat -t -l and you will see there is nothing listening. So
what is the point of running a firewall?


There's plenty of reasons to run a firewall even if you think you are
not running any services. You may be mistaken; a service may be started
without your knowledge, either in error or as an unintended consequence
of something you have done (install/run another piece of software); or,
a third party may have acquired access to your machine in some way and
attempted to run a backdoor process to listen for incoming connections.


--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Gene Heskett 
On Monday 24 September 2018 05:36:42 to...@tuxteam.de wrote:

> On Mon, Sep 24, 2018 at 04:52:21AM -0400, Gene Heskett wrote:
> > On Monday 24 September 2018 03:07:37 to...@tuxteam.de wrote:
>
> I fear my tales aren't half as exciting. Afer all, you have ~33%
> headstart on me :-)
>
True, but the life lesson is to remember the good times, they make the 
bad things that are also part of life, tolerable. I remember, but don't 
dwell at length, burying my first wife at age 34 in '68 from a stroke, 
and the loss of the 3 children she so enthusiasticly gave me over the 
last 20 years, two different cancers and a mix of scotch and Kia. So 
there are good times, and bad times. Some let the bad times overpower 
them, and you can't do that for long and survive as a careing human 
being.

> Cheers
> -- t
Take care, Tomas.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread tomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Sep 24, 2018 at 04:52:21AM -0400, Gene Heskett wrote:
> On Monday 24 September 2018 03:07:37 to...@tuxteam.de wrote:

[...]

> And he said it with a straight face... LMAO. And remembering that
> still puts a grin on my face. I expect you, Tomas, could tell similar 
> tales.

:-)

I fear my tales aren't half as exciting. Afer all, you have ~33%
headstart on me :-)

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAluosCoACgkQBcgs9XrR2kamVACfWFZbStve+Z1OhlvNo03iDZM6
XY8Anjd0NXste/Gb+AaimiqLZ6cSCMf0
=zYHW
-END PGP SIGNATURE-

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread Gene Heskett 
On Monday 24 September 2018 03:07:37 to...@tuxteam.de wrote:

> On Sun, Sep 23, 2018 at 11:22:41PM -0400, Gene Heskett wrote:

Off topic...

> [...]
>
> > Naw, I load them by hand, no internet connection to my powder cache.
> > ;-)
>
> But hey, IoT, what could possibly go bang?

How about old meat in the pot? Its now on its 5th barrel, and is now just 
past a century old. And I'm always looking for the load that will put 10 
shots in one small, ragged hole.

> > I plainly have too many hobbies. ;-)
>
> Just combine them ;-)

Old meat in the pot is why I bought a 70 year old Sheldon lathe and cnc'd 
it. I needed to replace a rusty barrel that wasn't shooting at all 
accurately, chambered for the Ackley-06, with something a bit easier on 
the shoulder at the rifle range, a 6.5 Creedmoor.

There is a certain cachet to being able to say /I/ did it. Its just part 
of who I am.

I have become good enough at the electronic arts, and the mechanicals 
too, that I have occasionally claimed to be a joat. But generally, I 
leave those comments to people that have watched me work.

They've come up with some doozies a few times.

Couple of parameds the insurance company sent around to see if I was 
breathing regularly before they'd issue a $50k life policy in 1977, 
asked to see my feet at the end of a sorta physical. I asked "whats my 
flat feet got to do with this?",  "We heard you could walk on water, so 
we wanted to see if they were webbed."

And he said it with a straight face... LMAO. And remembering that
still puts a grin on my face. I expect you, Tomas, could tell similar 
tales.

> Cheers
> -- t

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: Why does Debian allow all incoming traffic by default

2018-09-24 Thread tomas 
On Sun, Sep 23, 2018 at 11:22:41PM -0400, Gene Heskett wrote:

[...]

> Naw, I load them by hand, no internet connection to my powder cache. ;-)

But hey, IoT, what could possibly go bang?

> I plainly have too many hobbies. ;-) 

Just combine them ;-)

Cheers
-- t


signature.asc
Description: Digital signature

Re: Why does Debian allow all incoming traffic by default

2018-09-23 Thread Gene Heskett 
On Sunday 23 September 2018 23:13:43 Richard Hector wrote:

> On 23/09/18 6:19 AM, Gene Heskett wrote:
> > the exception in my sig being the only forward in the dd-wrt rules
>
> Remote access to your ammo box? Yikes :-)
>
> Richard

Naw, I load them by hand, no internet connection to my powder cache. ;-)

I plainly have too many hobbies. ;-) 

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: Why does Debian allow all incoming traffic by default

2018-09-23 Thread Richard Hector 
On 23/09/18 6:19 AM, Gene Heskett wrote:
> the exception in my sig being the only forward in the dd-wrt rules

Remote access to your ammo box? Yikes :-)

Richard



signature.asc
Description: OpenPGP digital signature

Re: Why does Debian allow all incoming traffic by default

2018-09-23 Thread Brian 
On Sun 23 Sep 2018 at 21:59:38 +0100, Joe wrote:

> On Sun, 23 Sep 2018 18:58:07 +0100
> Brian  wrote:
> 
> > On Sun 23 Sep 2018 at 00:05:58 +0100, mick crane wrote:
> > 
> > > On 2018-09-21 18:29, Subhadip Ghosh wrote:
> > >  Debian is a Universal OS.  
> > > > 
> > > > I wouldn't say whatever you said, doesn't make sense. I wish there
> > > > were an easier way to know about it when I started using the OS,
> > > > something to warn me that I need to configure the firewall to
> > > > suit my needs. Maybe because I came from a different OS where the
> > > > defaults were stricter, my expectations about the defaults were
> > > > different. 
> > > 
> > > fell foul of this years ago. installed OS, naively went on IRC
> > > while looking about at what was installed.
> > > "oh, I seem to have ports open"
> > > 20 seconds later somebody took over my account"  
> > 
> > Tough.
> > 
> > > Rapidly pulls cable and reinstalls.  
> > 
> > And never used IRC again. :)
> > 
> > > Some sort of a warning during installation.
> > > "there is no firewall running, You should probably set up some
> > > rules"
> > > 
> > > would be helpful.  
> > 
> > The ordinary user's eyes would glaze over. The installation process is
> > ok as it is.
> > 
> 
> There are firewall applications which can produce fairly sensible
> defaults painlessly, towards which a hint might be made. If you need
> more control, learn iptables early, you will eventually anyway.

Such applications exist. They have never been part of a default
installation of Debian or ever mentioned. Deduce from that what
you will.

iptables is available. I've never needed to use it. The vast
majority of users won't need it either.

-- 
Brian.

Re: Why does Debian allow all incoming traffic by default

2018-09-23 Thread Joe 
On Sun, 23 Sep 2018 18:58:07 +0100
Brian  wrote:

> On Sun 23 Sep 2018 at 00:05:58 +0100, mick crane wrote:
> 
> > On 2018-09-21 18:29, Subhadip Ghosh wrote:
> >  Debian is a Universal OS.  
> > > 
> > > I wouldn't say whatever you said, doesn't make sense. I wish there
> > > were an easier way to know about it when I started using the OS,
> > > something to warn me that I need to configure the firewall to
> > > suit my needs. Maybe because I came from a different OS where the
> > > defaults were stricter, my expectations about the defaults were
> > > different. 
> > 
> > fell foul of this years ago. installed OS, naively went on IRC
> > while looking about at what was installed.
> > "oh, I seem to have ports open"
> > 20 seconds later somebody took over my account"  
> 
> Tough.
> 
> > Rapidly pulls cable and reinstalls.  
> 
> And never used IRC again. :)
> 
> > Some sort of a warning during installation.
> > "there is no firewall running, You should probably set up some
> > rules"
> > 
> > would be helpful.  
> 
> The ordinary user's eyes would glaze over. The installation process is
> ok as it is.
> 

There are firewall applications which can produce fairly sensible
defaults painlessly, towards which a hint might be made. If you need
more control, learn iptables early, you will eventually anyway.

-- 
Joe

Re: Why does Debian allow all incoming traffic by default

2018-09-23 Thread Brian 
On Sun 23 Sep 2018 at 00:05:58 +0100, mick crane wrote:

> On 2018-09-21 18:29, Subhadip Ghosh wrote:
>  Debian is a Universal OS.
> > 
> > I wouldn't say whatever you said, doesn't make sense. I wish there
> > were an easier way to know about it when I started using the OS,
> > something to warn me that I need to configure the firewall to suit my
> > needs. Maybe because I came from a different OS where the defaults
> > were stricter, my expectations about the defaults were different.
> > 
> 
> fell foul of this years ago. installed OS, naively went on IRC while looking
> about at what was installed.
> "oh, I seem to have ports open"
> 20 seconds later somebody took over my account"

Tough.

> Rapidly pulls cable and reinstalls.

And never used IRC again. :)

> Some sort of a warning during installation.
> "there is no firewall running, You should probably set up some rules"
> 
> would be helpful.

The ordinary user's eyes would glaze over. The installation process is
ok as it is.

-- 
Brian.

Re: Why does Debian allow all incoming traffic by default

2018-09-23 Thread Joe 
On Sat, 22 Sep 2018 17:07:59 +0200
Pascal Hambourg  wrote:


> PPTP does require specific NAT support for the GRE protocol.
> Use case : two clients of the same PPTP server share the same public
> IP address.

It doesn't work, see below. And yes, I do know, it was a common
question on the MS Small Business Server Usenet group. The second
person to make the attempt could not make contact until about two
minutes after the first had disconnected.

> The server sends a GRE packet to the public IP address. How does the
> NAT device know which client the packet must be forwarded to ?
> 

Because NAT requires the maintenance of a table of connections, with
source and destination IP addresses, which is exactly what is required
by both stateful firewalling and connection tracking. In this case, for
the first GRE packet, it is connection tracking which uses the table
data to route the packet to the machine with an existing TCP/1723
connection from the same source address.

What you can't do with PPTP is make multiple connections between the
same two NAT machines, for this same reason, because GRE doesn't have
the means for being tied to one particular TCP/1723 path. It doesn't
carry the same meta information as does the TCP protocol. It is here
that IPSec is used, almost always between the network default gateways,
to avoid messy routing updates to workstations. FTP doesn't have this
problem, because its two paths are both TCP, and can be uniquely paired
by connection tracking.

There is provision in the PPTP protocol for multiple GRE connections to
be handled by one TCP/1723 control channel, but I'm not aware that this
has ever been implemented. That would still be a server-to-server
protocol, not a multiple-workstation-to-server one.

-- 
Joe

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread mick crane 

On 2018-09-21 18:29, Subhadip Ghosh wrote:
 Debian is a Universal OS.


I wouldn't say whatever you said, doesn't make sense. I wish there
were an easier way to know about it when I started using the OS,
something to warn me that I need to configure the firewall to suit my
needs. Maybe because I came from a different OS where the defaults
were stricter, my expectations about the defaults were different.



fell foul of this years ago. installed OS, naively went on IRC while 
looking about at what was installed.

"oh, I seem to have ports open"
20 seconds later somebody took over my account"
Rapidly pulls cable and reinstalls.

Some sort of a warning during installation.
"there is no firewall running, You should probably set up some rules"

would be helpful.


mick


--
Key ID4BFEBB31

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Simon Kengelbacher 
Am Samstag, den 22.09.2018, 23:58 +0200 schrieb Pascal Hambourg:
> Le 22/09/2018 à 23:35, Simon Kengelbacher a écrit :
> > Am Samstag, den 22.09.2018, 22:36 +0200 schrieb to...@tuxteam.de:
> > > On Sat, Sep 22, 2018 at 04:15:42PM -0400, Gene Heskett wrote:
> > > 
> > > > They have over the last two "upgrades" from wheezy to jessie
> > > > and on
> > > > to
> > > > stretch, totally disabled any attempts to forward x to another
> > > > machine,
> > > 
> > > Just a tip: there's "ssh -X" or better "ssh -Y" for that. Perhaps
> > > it
> > > suits your needs...
> > 
> > In this case I would prefer sshfs as "ssh -X" can be somewhat laggy
> > when you don't have a fast connection.
> 
> sshfs to run a remote shell and X programs ?
> 

no, to edit the file on your local environment

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 23:35, Simon Kengelbacher a écrit :

Am Samstag, den 22.09.2018, 22:36 +0200 schrieb to...@tuxteam.de:

On Sat, Sep 22, 2018 at 04:15:42PM -0400, Gene Heskett wrote:


They have over the last two "upgrades" from wheezy to jessie and on
to
stretch, totally disabled any attempts to forward x to another
machine,


Just a tip: there's "ssh -X" or better "ssh -Y" for that. Perhaps it
suits your needs...


In this case I would prefer sshfs as "ssh -X" can be somewhat laggy
when you don't have a fast connection.


sshfs to run a remote shell and X programs ?

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 20:27, Dan Ritter a écrit :

On Sat, Sep 22, 2018 at 04:52:40PM +0200, Pascal Hambourg wrote:


It does not matter what you entire point was, and I do not expect you to
describe a complete firewall policy. *You* exposed a supposedly default
firewall policy which I happened to find questionable, so I questioned it.


You should certainly find it questionable,


Thanks for acknowledging it.


You would not have exposed a broken firewall policy on purpose in order to
prove your point, would you ?


Wouldn't I?


I hope not.


I am explicitly describing a firewire policy for the sake of
argument, and in no way advocating it.


For the sake of argument, you should have described a sensible firewall 
policy or no one would have taken your point seriously. The policy you 
described was not sensible. Here is a common one which allows outbound 
"connections" :


- accept outbound packets and related inbound replies
- deny other inbound packets

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Simon Kengelbacher 
Am Samstag, den 22.09.2018, 22:36 +0200 schrieb to...@tuxteam.de:
> On Sat, Sep 22, 2018 at 04:15:42PM -0400, Gene Heskett wrote:
> 
> [...]
> 
> > They have over the last two "upgrades" from wheezy to jessie and on
> > to 
> > stretch, totally disabled any attempts to forward x to another
> > machine, 
> 
> Just a tip: there's "ssh -X" or better "ssh -Y" for that. Perhaps it
> suits your needs...
> 
> Cheers
> -- tomás

In this case I would prefer sshfs as "ssh -X" can be somewhat laggy
when you don't have a fast connection.

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 22:16, Stefan Monnier a écrit :

[...]

The benefit is that one cannot pinpoint the real attacker, of course.

Isn't the same benefit provided by just forging the source address ?

If all the routers in the path play along... but then, they are all
broken.


This condition must also be true in Reco's scenario to send the forged 
packets to the reflectors.



There's also the fact that all those RST packets can come from all over
the place and they come from where they say they come.


How can the target tell the difference ? It will receive all packets 
from its internet router anyway.



So they're a lot more difficult to block, compared to packets with
a forged source address all coming from the same IP.


"packets with a forged source address all coming from the same IP" does 
not make any sense. Packets do not "come from an IP", they just have a 
(possibly forged) source address wherever they come from.

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Gene Heskett 
On Saturday 22 September 2018 16:36:15 to...@tuxteam.de wrote:

> On Sat, Sep 22, 2018 at 04:15:42PM -0400, Gene Heskett wrote:
>
> [...]
>
> > They have over the last two "upgrades" from wheezy to jessie and on
> > to stretch, totally disabled any attempts to forward x to another
> > machine,
>
> Just a tip: there's "ssh -X" or better "ssh -Y" for that. Perhaps it
> suits your needs...
>
> Cheers
> -- tomás

Been using -Y for years, Tomas, doesn't work for newer than wheezy.


-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread tomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Sep 22, 2018 at 04:15:42PM -0400, Gene Heskett wrote:

[...]

> They have over the last two "upgrades" from wheezy to jessie and on to 
> stretch, totally disabled any attempts to forward x to another machine, 

Just a tip: there's "ssh -X" or better "ssh -Y" for that. Perhaps it
suits your needs...

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlump78ACgkQBcgs9XrR2kaymgCdH3eBDppz4R0+AWQbYe8/ssP/
CUoAn29066dLQ3B1Go8NbhjXy/i+aPye
=simb
-END PGP SIGNATURE-

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Stefan Monnier 
> [...]
>> >The benefit is that one cannot pinpoint the real attacker, of course.
>> Isn't the same benefit provided by just forging the source address ?
> If all the routers in the path play along... but then, they are all
> broken.

There's also the fact that all those RST packets can come from all over
the place and they come from where they say they come.
So they're a lot more difficult to block, compared to packets with
a forged source address all coming from the same IP.


Stefan

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Gene Heskett 
On Saturday 22 September 2018 14:27:44 Dan Ritter wrote:

> On Sat, Sep 22, 2018 at 04:52:40PM +0200, Pascal Hambourg wrote:
> > Le 22/09/2018 à 13:31, Dan Ritter a écrit :
> > > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:
> > > > I do not see how all this replies to my question :
> >
> > This comment was intended to Gene Heskett.
> >
> > > > Why should only TCP inbound responses be allowed ? What about
> > > > UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> > > > messages, and so on ?
> > >
> > > Given that my entire point was that no firewall policy other
> > > than "configure it yourself" will work, it's really you missing
> > > the point to expect me to describe a complete firewall policy
> > > tuned to your desires.
> >
> > It does not matter what you entire point was, and I do not expect
> > you to describe a complete firewall policy. *You* exposed a
> > supposedly default firewall policy which I happened to find
> > questionable, so I questioned it.
>
> You should certainly find it questionable,
>
> > You would not have exposed a broken firewall policy on purpose in
> > order to prove your point, would you ?
>
> Wouldn't I?
>
> I am explicitly describing a firewire policy for the sake of
> argument, and in no way advocating it. In fact, the ENTIRE
> FREAKING POINT WHICH I HAVE MADE TWICE NOW is that I am *not*
> advocating it.
>
> Do not use this firewall policy. If Debian were to do the stupid
> thing of instituting a default firewall policy other than what
> it doesn't do now, I would hope for a several month long debate
> in debian-developers about what it should be.
>
> -dsr-

I would certainly hope so, AND give due consideration to just how big a 
headache any change means for the users.

Rant mode on

They have over the last two "upgrades" from wheezy to jessie and on to 
stretch, totally disabled any attempts to forward x to another machine, 
I suppose based on someones idea of security and my questions about 
fixing that pain in the arse, so it works once again, have been totally 
ignored.  They HAVE been asked, but never acknowledged with the courtesy 
of even a reply with a link to a tut.

We build (some buy) computers for us to use, and now if I want to edit 
gcode on another machine from a comfortable office chair, I am 
restricted to nano. Or going to that machine and standing at its 
operating position just to be able to use a decent editor.

That is not fun when one is 2 weeks short of his 84th, and have 2 crushed 
disc's in my lower back limiting me to not more than an hour/day. Its 
very hard to concentrate on the code when your back is screaming at you.

But someone with the power to "make it so" hides behind the word 
security, never deigning to explain it where the user public gets to 
read it. There is something drastically wrong with that picture when we 
don't get a choice, or a say in it.

/rant

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread tomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Sep 22, 2018 at 12:58:02PM +0200, Pascal Hambourg wrote:
> Le 22/09/2018 à 11:51, Reco a écrit :

[...]

> >The benefit is that one cannot pinpoint the real attacker, of course.
> 
> Isn't the same benefit provided by just forging the source address ?

If all the routers in the path play along... but then, they are all
broken.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlumntYACgkQBcgs9XrR2kbArACfdKlCio5Ym6LIne2jjZMwpJlB
PH4An15p+eUmR5q2uIBqK/x/v9X8VH5Q
=m583
-END PGP SIGNATURE-

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Dan Ritter 
On Sat, Sep 22, 2018 at 04:52:40PM +0200, Pascal Hambourg wrote:
> Le 22/09/2018 à 13:31, Dan Ritter a écrit :
> > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:
> > > I do not see how all this replies to my question :
> 
> This comment was intended to Gene Heskett.
> 
> > > Why should only TCP inbound responses be allowed ? What about UDP-based
> > > protocols, ping replies (ICMP echo reply), ICMP error messages, and so on 
> > > ?
> > 
> > Given that my entire point was that no firewall policy other
> > than "configure it yourself" will work, it's really you missing
> > the point to expect me to describe a complete firewall policy tuned
> > to your desires.
> 
> It does not matter what you entire point was, and I do not expect you to
> describe a complete firewall policy. *You* exposed a supposedly default
> firewall policy which I happened to find questionable, so I questioned it.

You should certainly find it questionable, 
 
> You would not have exposed a broken firewall policy on purpose in order to
> prove your point, would you ?

Wouldn't I?

I am explicitly describing a firewire policy for the sake of
argument, and in no way advocating it. In fact, the ENTIRE
FREAKING POINT WHICH I HAVE MADE TWICE NOW is that I am *not* 
advocating it.

Do not use this firewall policy. If Debian were to do the stupid
thing of instituting a default firewall policy other than what
it doesn't do now, I would hope for a several month long debate
in debian-developers about what it should be.

-dsr-

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Gene Heskett 
On Saturday 22 September 2018 10:52:40 Pascal Hambourg wrote:

> Le 22/09/2018 à 13:31, Dan Ritter a écrit :
> > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:
> >> I do not see how all this replies to my question :
>
> This comment was intended to Gene Heskett.
>
> >> Why should only TCP inbound responses be allowed ? What about
> >> UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> >> messages, and so on ?
> >
> > Given that my entire point was that no firewall policy other
> > than "configure it yourself" will work, it's really you missing
> > the point to expect me to describe a complete firewall policy tuned
> > to your desires.
>
> It does not matter what you entire point was, and I do not expect you
> to describe a complete firewall policy. *You* exposed a supposedly
> default firewall policy which I happened to find questionable, so I
> questioned it.
>
> You would not have exposed a broken firewall policy on purpose in
> order to prove your point, would you ?

The point I was trying to make is that in close to 2 decades of my 
somewhat volatile home setup all on a 192.168.nn.nn address, and with 
the exception in my sig being the only forward in the dd-wrt rules, and 
apache2 is running in a sandbox to serve my web page, the only person to 
gain access to this network and machine was given the username and 
password to do so by me. My only problem has been someone else logging 
into one of the wifi's, which are not bridged to this net, but to the 
internet, and using up more bandwidth in a month than I do.  Still under 
my cap by quite a ways, but...

So since I don't use the radios. ATM all the radios are turned off, they 
aren't needed until one of my boys comes to visit with a smartphone and 
needs net access.

Take it for what you think its worth. It does work for me.

IMO, those without a reflashed router running dd-wrt or one of the 
work-a-likes between their machines and the internet, running all their 
machine on un-routable addresses, is a bit dumb, asking for trouble, and 
it will find them sooner rather than later unless they've built their 
own firewall.

Yes, there are $35 routers that can be updated to dd-wrt, I have such a 
netgear. But dd-wrt has stuff there is not room for in the more memory 
limited $35 model, 100% configurable port forwarding being on the 
missing list, so the netgear has logged a couple weeks when the buffalo 
got forgetfull.

Take care Pascal.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 13:11, Joe a écrit :

On Sat, 22 Sep 2018 10:38:52 +0200
Pascal Hambourg  wrote:


Le 22/09/2018 à 09:39, Joe a écrit :


Two layers of NAT work just fine, for anything but IPSec.


1) Even one single layer of NAT can cause trouble with other
applications that IPSec : FTP, SIP...


Yes, but one can reasonably expect NAT hardware to also deal with
tracking of multiple port/protocol communications. Pretty much the same
basic code does both jobs, as well as stateful firewalling.


Each complex protocol requires specific handling by both NAT and 
connection tracking. You can always work around the lack of connection 
tracking support with static firewall rules (at the cost of weaker 
security), but you cannot always work around the lack of NAT support 
with static NAT rules.



2) IPSec works through NAT, provided that you enable UDP
encapsulation aka NAT-T.


Yes, there's more to go wrong, though.


Like what ?


IPSec is commonly used to
provide pretty much fixed communication between organisations, so
terminating it on the Internet interface rather than on an internal
machine makes sense, as well as keeping it simple with just the public
IP addresses.


IPSec is also commonly used by organisations for remote access by 
travelling employees.



Other VPNs such as PPTP are more commonly used from
internal workstations. PPTP will pass through two* layers of NAT at
each end without special provision being made, apart from forwarding of
course.


PPTP does require specific NAT support for the GRE protocol.
Use case : two clients of the same PPTP server share the same public IP 
address.
The server sends a GRE packet to the public IP address. How does the NAT 
device know which client the packet must be forwarded to ?

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 13:31, Dan Ritter a écrit :

On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:

I do not see how all this replies to my question :


This comment was intended to Gene Heskett.


Why should only TCP inbound responses be allowed ? What about UDP-based
protocols, ping replies (ICMP echo reply), ICMP error messages, and so on ?


Given that my entire point was that no firewall policy other
than "configure it yourself" will work, it's really you missing
the point to expect me to describe a complete firewall policy tuned
to your desires.


It does not matter what you entire point was, and I do not expect you to 
describe a complete firewall policy. *You* exposed a supposedly default 
firewall policy which I happened to find questionable, so I questioned it.


You would not have exposed a broken firewall policy on purpose in order 
to prove your point, would you ?

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 15:39, Dan Purgert a écrit :

Pascal Hambourg wrote:

Le 21/09/2018 à 19:09, Dan Ritter a écrit :


Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:

  - outbound: permit
  - forward: deny
  - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
response to an outbound packet


Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?


In my case, the box is running as a server for those protocols.


These services are not present *by default*. Dan Ritter talked about a 
basic firewall *by default*.



Why should only TCP inbound responses be allowed ? What about UDP-based
protocols, ping replies (ICMP echo reply), ICMP error messages, and so on ?


DNS is UDP (er, by default; though it can use TCP).  ICMP echo would
most likely fall under the "response to something outbound".


Dan Ritter did not mention "response to something outbound" but
"any *TCP* packet which is a response to an outbound packet".
ICMP echo is not TCP. I was questioning that TCP restriction.

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Dan Purgert 
Pascal Hambourg wrote:
> Le 21/09/2018 à 19:09, Dan Ritter a écrit :
>> 
>> Let's suppose Debian installs a basic firewall by default. How
>> basic? Let's say:
>> 
>>  - outbound: permit
>>  - forward: deny
>>  - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
>>response to an outbound packet
>
> Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?

In my case, the box is running as a server for those protocols.  Though,
Gene (or others) may do things differently.  NOTE -I only listen for
unsolicited requests on the LAN for those.

Only stuff on the internet is SSH and SMTP.
>
> Why should only TCP inbound responses be allowed ? What about UDP-based 
> protocols, ping replies (ICMP echo reply), ICMP error messages, and so on ?

DNS is UDP (er, by default; though it can use TCP).  ICMP echo would
most likely fall under the "response to something outbound".


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Dan Purgert 
Reco wrote:
>   Hi.
>
> On Fri, Sep 21, 2018 at 09:59:40PM -, Dan Purgert wrote:
>> Reco wrote:
>> [...]
>> >> So this is why a wise guy buys an industrial pc for 200 US or wrt capable
>> >> router for 20-30 US installs linux and makes a good firewall then puts it
>> >> between ISP and his own network.
>> >
>> > That's one way of solving it as such measure only covers one's
>> > conventional household needs. Barely - as there's this guest Wi-Fi and
>> > that curious neighbour kid.
>> 
>> You don't firewall between your guest wifi and your trusted stuff?
>
> Personally I went as far as putting household Wi-Fi into distinct VLAN,
> and guest Wi-Fi into another one.
> The question is - can you expect that D-Link/ASUS/TPLink box to do it
> by default?

Actually with newer models that support "guest wifi", yes -- at least
insofar as between guests and "trusted".  Though not so much between the
wired and "trusted" wifi.



-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Dan Ritter 
On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote:
> I do not see how all this replies to my question :
> 
> Why should only TCP inbound responses be allowed ? What about UDP-based
> protocols, ping replies (ICMP echo reply), ICMP error messages, and so on ?

Given that my entire point was that no firewall policy other
than "configure it yourself" will work, it's really you missing
the point to expect me to describe a complete firewall policy tuned
to your desires.

-dsr-

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Reco 
Hi.

On Sat, Sep 22, 2018 at 12:58:02PM +0200, Pascal Hambourg wrote:
> Le 22/09/2018 à 11:51, Reco a écrit :
> > 
> > On Sat, Sep 22, 2018 at 09:46:35AM +0200, Pascal Hambourg wrote:
> > > Le 21/09/2018 à 20:32, Reco a écrit :
> > > > 
> > > > Evil person makes a TCP connection to unprotected host, but forges
> > > > source IP. Host sends TCP RST to this forged IP, host acting as a
> > > > 'reflector' to an attack. And being a bad netizen at the same time.
> > > > 
> > > > Evil person takes as many of such hosts as possible - and there goes
> > > > your old-fashioned RST DDOS.
> > > 
> > > What is the attacker's benefit over just sending packets directly to the
> > > target with forged source addresses ?
> > 
> > The benefit is that one cannot pinpoint the real attacker, of course.
> 
> Isn't the same benefit provided by just forging the source address ?

Unsure. I only have theoretical knowledge of such attacks, never
performed one myself.
Defending against the thing - that's something I'm more versed with.

Reco

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Joe 
On Sat, 22 Sep 2018 10:38:52 +0200
Pascal Hambourg  wrote:

> Le 22/09/2018 à 09:39, Joe a écrit :
> >
> > Two layers of NAT work just fine, for anything but IPSec.  
> 
> 1) Even one single layer of NAT can cause trouble with other 
> applications that IPSec : FTP, SIP...
> 

Yes, but one can reasonably expect NAT hardware to also deal with
tracking of multiple port/protocol communications. Pretty much the same
basic code does both jobs, as well as stateful firewalling. There's a
reason that NAT is implemented by iptables rules. Only IPSec ties in
the endpoint IP addresses as well.

> 2) IPSec works through NAT, provided that you enable UDP
> encapsulation aka NAT-T.
> 
Yes, there's more to go wrong, though. IPSec is commonly used to
provide pretty much fixed communication between organisations, so
terminating it on the Internet interface rather than on an internal
machine makes sense, as well as keeping it simple with just the public
IP addresses. Other VPNs such as PPTP are more commonly used from
internal workstations. PPTP will pass through two* layers of NAT at
each end without special provision being made, apart from forwarding of
course.

*Presumably unlimited layers, but I've actually done two at each end. I
don't like commenting on any communications method until I've made it
work myself. I've had a certain amount of trouble with IPSec, though to
be fair that was in the days when most router manufacturers were still
getting the hang of connection tracking. There was plenty of early NAT
router firmware which didn't even handle PPTP well.

-- 
Joe

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 12:05, Henning Follmann a écrit :


If you send a TCP package to a computer not listening it will send a ICMP
error back.


No, standard behaviour is to send a TCP RST back.
An ICMP error may be sent back for other protocols such as UDP.

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 11:51, Reco a écrit :


On Sat, Sep 22, 2018 at 09:46:35AM +0200, Pascal Hambourg wrote:

Le 21/09/2018 à 20:32, Reco a écrit :


Evil person makes a TCP connection to unprotected host, but forges
source IP. Host sends TCP RST to this forged IP, host acting as a
'reflector' to an attack. And being a bad netizen at the same time.

Evil person takes as many of such hosts as possible - and there goes
your old-fashioned RST DDOS.


What is the attacker's benefit over just sending packets directly to the
target with forged source addresses ?


The benefit is that one cannot pinpoint the real attacker, of course.


Isn't the same benefit provided by just forging the source address ?

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 11:12, Gene Heskett a écrit :

On Saturday 22 September 2018 03:34:45 Pascal Hambourg wrote:


Le 21/09/2018 à 19:09, Dan Ritter a écrit :

Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:

  - outbound: permit
  - forward: deny
  - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
response to an outbound packet


Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?


Because you can set an ntp corrected machine as a broadcaster


Does the client NTP daemon accepts inbound broadcast messages from any 
source by default ? If so, this seems quite insecure to me and the 
firewall should not allow this by default. If not, it requires some 
configuration, and allowing inbound NTP broadcast from the broadcaster 
address only should be part of this configuration.



Why should only TCP inbound responses be allowed ? What about
UDP-based protocols, ping replies (ICMP echo reply), ICMP error
messages, and so on ?


I probably should have iptables running on all my machines, but in 15
years, only one person as gotten thru dd-wrt to this machine, and I had
to give him the login credentials, I needed help configuring something,
on a long since replaced fedora install.  So there is no firewall
enabled on any of the machines here. And because everytime Andrew
Triggel sits down at a keyboard cifs dies, same for NFS, I've found that
ssh and sshfs as local networking tools Just Work, so I don't have to
putz near as much with access maintenance. No NFS shares, no sammba/cifs
shares.  And life is so much simpler.

Computers should work for you, not the other way around, forcing you to
remember how to push 17 buttons just to answer an incoming email.  This
message only required 1 button click and all this typing. Everything
else is handled automatically by scripts.


I do not see how all this replies to my question :

Why should only TCP inbound responses be allowed ? What about UDP-based 
protocols, ping replies (ICMP echo reply), ICMP error messages, and so on ?

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Reco 
Hi.

On Sat, Sep 22, 2018 at 06:05:01AM -0400, Henning Follmann wrote:
> On Fri, Sep 21, 2018 at 09:32:45PM +0300, Reco wrote:
> > Hi.
> > 
> > On Fri, Sep 21, 2018 at 07:14:03PM +0100, Brian wrote:
> > > On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote:
> > > 
> > > > Hi.
> > > > 
> > > > On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > > > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > > > > Hi,
> > > > > > 
> > 
> > TCP RST attack requires exactly that. That, and an absence of a
> > firewall.
> > 
> > > There is no point with a standard Debian installation (which is what the
> > > OP inquired about). Debian is already a good netizen.
> > 
> > Good person makes a TCP connection to unprotected (as in - no firewall
> > interference) host. Since there's nothing on a host that does not listen
> > appropriate TCP port - host's kernel sends back TCP RST packet.
> > Good person's connection terminates, everyone's happy. That's how it
> > goes in your typical LAN.
> > 
> Sorry that is not how a RST attack works.
> You send a TCP package two either or both ends where the RST flag is set by
> faking your address. This way mostTCP implementation close the exsisting
> connection. The china firewall works that way. It is a kind of denial of
> service attack.

That's how it goes if you're in-between router.

> If you send a TCP package to a computer not listening it will send a ICMP
> error back.

Does not work that way for me in a single L2 segment:

nmap -sT -p 23 

tcpdump -ni 

13:28:17.826101 IP 10.20.0.1.37928 > 10.20.110.23.23: Flags [S], seq ...269
13:28:17.826111 IP 10.20.110.23.23 > 10.20.0.1.37928: Flags [R.], seq 0, ack 
...270

Can I have my ICMP packet please? I can generate those with iptables'
REJECT target, but I get TCP RST only with empty INPUT chain.


> > Evil person makes a TCP connection to unprotected host, but forges
> > source IP. Host sends TCP RST to this forged IP, host acting as a
> > 'reflector' to an attack. And being a bad netizen at the same time.
> > 
> > Evil person takes as many of such hosts as possible - and there goes
> > your old-fashioned RST DDOS.
> > 
> 
> No

Yes. Nobody does it anymore as there are numerous ways of traffic
amplification, but still 'yes'.


> > I recall that you've stated that your servers do not run any kind of
> > packet filter. So, just in case - one cannot harm the reflector that
> > way.
> > 
> 
> On those machines where I run a firewall, I use by default REJECT and not
> DROP. This also sends a ICMP back. In most cases this is desireable.

In a LAN that's definitely desirable. Helps with the troubleshooting and
stuff. Doing this in a WAN makes the host a bad netizen.


> If you
> drop the package without error the TCP sender will just think the package
> was lost and will resend the package. So in most cases REJECT might be
> better than DROP anyway.

I stopped catering for the needs of clearly broken software years ago,
so DROP for WAN is the way.

Reco

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Henning Follmann 
On Fri, Sep 21, 2018 at 09:32:45PM +0300, Reco wrote:
>   Hi.
> 
> On Fri, Sep 21, 2018 at 07:14:03PM +0100, Brian wrote:
> > On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote:
> > 
> > >   Hi.
> > > 
> > > On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > > > Hi,
> > > > > 
> 
> TCP RST attack requires exactly that. That, and an absence of a
> firewall.
> 
> > There is no point with a standard Debian installation (which is what the
> > OP inquired about). Debian is already a good netizen.
> 
> Good person makes a TCP connection to unprotected (as in - no firewall
> interference) host. Since there's nothing on a host that does not listen
> appropriate TCP port - host's kernel sends back TCP RST packet.
> Good person's connection terminates, everyone's happy. That's how it
> goes in your typical LAN.
> 
Sorry that is not how a RST attack works.
You send a TCP package two either or both ends where the RST flag is set by
faking your address. This way mostTCP implementation close the exsisting
connection. The china firewall works that way. It is a kind of denial of
service attack.

If you send a TCP package to a computer not listening it will send a ICMP
error back.


> Evil person makes a TCP connection to unprotected host, but forges
> source IP. Host sends TCP RST to this forged IP, host acting as a
> 'reflector' to an attack. And being a bad netizen at the same time.
> 
> Evil person takes as many of such hosts as possible - and there goes
> your old-fashioned RST DDOS.
> 

No

> I recall that you've stated that your servers do not run any kind of
> packet filter. So, just in case - one cannot harm the reflector that
> way.
> 

On those machines where I run a firewall, I use by default REJECT and not
DROP. This also sends a ICMP back. In most cases this is desireable. If you
drop the package without error the TCP sender will just think the package
was lost and will resend the package. So in most cases REJECT might be
better than DROP anyway.

> 
> So, in this regard Debian is imperfect, but at least they give you right
> tools to solve the problem (iptables suite), and do not force braindead
> firewall policies by default (like RHEL does).
> 
> Reco
> 

-H


-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Reco 
Hi.

On Sat, Sep 22, 2018 at 09:46:35AM +0200, Pascal Hambourg wrote:
> Le 21/09/2018 à 20:32, Reco a écrit :
> > 
> > Evil person makes a TCP connection to unprotected host, but forges
> > source IP. Host sends TCP RST to this forged IP, host acting as a
> > 'reflector' to an attack. And being a bad netizen at the same time.
> > 
> > Evil person takes as many of such hosts as possible - and there goes
> > your old-fashioned RST DDOS.
> 
> What is the attacker's benefit over just sending packets directly to the
> target with forged source addresses ?

The benefit is that one cannot pinpoint the real attacker, of course.

> Reflection attacks give a benefit for the attacker when the reflection
> provides some kind of amplification.

That's I agree with. Classic TCP RST flood does not offer any
amplification, that's why this kind of attack has more historic than
practical nature.

Reco

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Gene Heskett 
On Saturday 22 September 2018 03:34:45 Pascal Hambourg wrote:

> Le 21/09/2018 à 19:09, Dan Ritter a écrit :
> > Let's suppose Debian installs a basic firewall by default. How
> > basic? Let's say:
> >
> >  - outbound: permit
> >  - forward: deny
> >  - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
> >response to an outbound packet
>
> Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?
>
Because you can set an ntp corrected machine as a broadcaster, therefore 
reducing the load on the tier 2 servers such as debian maintains by 
using their pool.debian.org or the tier 1 servers at pool.ntp.org. That 
way I have 7 machines here, all synchronized to the first or 2nd tier of 
time servers on the planet. This machine is a slave to my router, it 
broadcasts to the other 6 machines, so I have all synched and well 
within a millisecond.

One could use his main machine that way.
Some routers can also serve as servers, dd-wrt installed  on a Buffalo 
NetFinity can also do this. So it has become the broadcaster to my all 
natted home network. I finally did that conversion last spring, cutting 
out the 2nd npt request traffic.

> Why should only TCP inbound responses be allowed ? What about
> UDP-based protocols, ping replies (ICMP echo reply), ICMP error
> messages, and so on ?

I probably should have iptables running on all my machines, but in 15 
years, only one person as gotten thru dd-wrt to this machine, and I had 
to give him the login credentials, I needed help configuring something, 
on a long since replaced fedora install.  So there is no firewall 
enabled on any of the machines here. And because everytime Andrew 
Triggel sits down at a keyboard cifs dies, same for NFS, I've found that 
ssh and sshfs as local networking tools Just Work, so I don't have to 
putz near as much with access maintenance. No NFS shares, no sammba/cifs 
shares.  And life is so much simpler.

Computers should work for you, not the other way around, forcing you to 
remember how to push 17 buttons just to answer an incoming email.  This 
message only required 1 button click and all this typing. Everything 
else is handled automatically by scripts.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 22/09/2018 à 09:39, Joe a écrit :


Two layers of NAT work just fine, for anything but IPSec.


1) Even one single layer of NAT can cause trouble with other 
applications that IPSec : FTP, SIP...


2) IPSec works through NAT, provided that you enable UDP encapsulation 
aka NAT-T.

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 21/09/2018 à 20:32, Reco a écrit :


Evil person makes a TCP connection to unprotected host, but forges
source IP. Host sends TCP RST to this forged IP, host acting as a
'reflector' to an attack. And being a bad netizen at the same time.

Evil person takes as many of such hosts as possible - and there goes
your old-fashioned RST DDOS.


What is the attacker's benefit over just sending packets directly to the 
target with forged source addresses ?
Reflection attacks give a benefit for the attacker when the reflection 
provides some kind of amplification. One example is broadcast ping in a 
LAN : one single request packet triggers many reply packets. Another 
example is DNS amplification : a small DNS request triggers a much 
bigger DNS reply.
But TCP RST attack does not provide any amplification, as one SYN packet 
triggers one RST packet of similar length.

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Joe 
On Fri, 21 Sep 2018 18:04:59 -0400
songbird  wrote:

> Subhadip Ghosh wrote:
> > Hi,
> >
> > I am using Debian and the recently I learned that a standard Debian 
> > installation allows all 3 types of traffics especially incoming by 
> > default. I know I can easily use iptables to tighten the rules but
> > I wanted to know the reasons behind the choice of this default
> > behaviour and if it makes the system more vulnerable? I tried
> > searching on the Internet but did not get any satisfactory
> > explanation. It will be helpful if anybody knows the answers to my
> > questions or can redirect me to a helpful document.  
> 
>   whenever i install a new system i include ufw (a firewall
> program) just to catch any funny stuff that might try to
> come through.
> 
>   the default settings seem to work well enough and i'm glad
> i don't have to relearn the terminology and rules for iptables.
> 
>   i'm sure a much better solution is to run a separate router
> as it's own layer of firewall may keep a lot of stuff out, 
> but as of yet i'm just not under attack enough to make it
> worth it.
> 

Better to do both. Two layers of NAT work just fine, for anything but
IPSec.

-- 
Joe

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Pascal Hambourg 

Le 21/09/2018 à 19:09, Dan Ritter a écrit :


Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:

 - outbound: permit
 - forward: deny
 - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
   response to an outbound packet


Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ?

Why should only TCP inbound responses be allowed ? What about UDP-based 
protocols, ping replies (ICMP echo reply), ICMP error messages, and so on ?

Re: Why does Debian allow all incoming traffic by default

2018-09-22 Thread Reco 
Hi.

On Fri, Sep 21, 2018 at 09:59:40PM -, Dan Purgert wrote:
> Reco wrote:
> > Hi.
> >
> > On Fri, Sep 21, 2018 at 11:18:36PM +0200, deloptes wrote:
> >> Reco wrote:
> >> 
> >> > So, in this regard Debian is imperfect, but at least they give you right
> >> > tools to solve the problem (iptables suite), and do not force braindead
> >> > firewall policies by default (like RHEL does).
> >> 
> >> So this is why a wise guy buys an industrial pc for 200 US or wrt capable
> >> router for 20-30 US installs linux and makes a good firewall then puts it
> >> between ISP and his own network.
> >
> > That's one way of solving it as such measure only covers one's
> > conventional household needs. Barely - as there's this guest Wi-Fi and
> > that curious neighbour kid.
> 
> You don't firewall between your guest wifi and your trusted stuff?

Personally I went as far as putting household Wi-Fi into distinct VLAN,
and guest Wi-Fi into another one.
The question is - can you expect that D-Link/ASUS/TPLink box to do it by 
default?

Reco

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread songbird 
Subhadip Ghosh wrote:
> Hi,
>
> I am using Debian and the recently I learned that a standard Debian 
> installation allows all 3 types of traffics especially incoming by 
> default. I know I can easily use iptables to tighten the rules but I 
> wanted to know the reasons behind the choice of this default behaviour 
> and if it makes the system more vulnerable? I tried searching on the 
> Internet but did not get any satisfactory explanation. It will be 
> helpful if anybody knows the answers to my questions or can redirect me 
> to a helpful document.

  whenever i install a new system i include ufw (a firewall
program) just to catch any funny stuff that might try to
come through.

  the default settings seem to work well enough and i'm glad
i don't have to relearn the terminology and rules for iptables.

  i'm sure a much better solution is to run a separate router
as it's own layer of firewall may keep a lot of stuff out, 
but as of yet i'm just not under attack enough to make it
worth it.


  songbird

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Dan Purgert 
Reco wrote:
>   Hi.
>
> On Fri, Sep 21, 2018 at 11:18:36PM +0200, deloptes wrote:
>> Reco wrote:
>> 
>> > So, in this regard Debian is imperfect, but at least they give you right
>> > tools to solve the problem (iptables suite), and do not force braindead
>> > firewall policies by default (like RHEL does).
>> 
>> So this is why a wise guy buys an industrial pc for 200 US or wrt capable
>> router for 20-30 US installs linux and makes a good firewall then puts it
>> between ISP and his own network.
>
> That's one way of solving it as such measure only covers one's
> conventional household needs. Barely - as there's this guest Wi-Fi and
> that curious neighbour kid.

You don't firewall between your guest wifi and your trusted stuff?


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Reco 
Hi.

On Fri, Sep 21, 2018 at 11:18:36PM +0200, deloptes wrote:
> Reco wrote:
> 
> > So, in this regard Debian is imperfect, but at least they give you right
> > tools to solve the problem (iptables suite), and do not force braindead
> > firewall policies by default (like RHEL does).
> 
> So this is why a wise guy buys an industrial pc for 200 US or wrt capable
> router for 20-30 US installs linux and makes a good firewall then puts it
> between ISP and his own network.

That's one way of solving it as such measure only covers one's
conventional household needs. Barely - as there's this guest Wi-Fi and
that curious neighbour kid.

There are laptops that are expected to connect for foreign LANs. And
foreign LANs can be expected to contain all kinds of hostilities.

There are hosting providers that provide you hardware, some OS
installation customized to their (unusual if not perversive) tastes and
all the Internet inbound access.

So, as I wrote - they give everyone the right tools, so anyone has it.
Using them is simple enough (some assembly required though), but as
others wrote in this thread - there are no sane defaults.

Reco

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread deloptes 
Reco wrote:

> So, in this regard Debian is imperfect, but at least they give you right
> tools to solve the problem (iptables suite), and do not force braindead
> firewall policies by default (like RHEL does).

So this is why a wise guy buys an industrial pc for 200 US or wrt capable
router for 20-30 US installs linux and makes a good firewall then puts it
between ISP and his own network.

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread David Wright 
On Fri 21 Sep 2018 at 22:59:57 (+0530), Subhadip Ghosh wrote:
> 
> Hi Dan,
> > The basic reason is this: it makes sense.
> > 
> > Let's suppose Debian installs a basic firewall by default. How
> > basic? Let's say:
> > 
> >  - outbound: permit
> >  - forward: deny
> >  - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
> >response to an outbound packet
> > 
> > Now, what should happen when a user installs an SSH daemon?
> > Should it automatically change the firewall? Of course,
> > otherwise everyone who installs SSH would discover that it
> > doesn't work.
> > 
> > How many packages now have to have scripts written to update the
> > firewall?
> > 
> > What happens when a user installs a multi-protocol daemon like
> > Dovecot? Does it automatically open POP, POP/S, IMAP and IMAP/S?
> > All of them? None of them?
> > 
> > There are an infinite number of questions to be asked, all of
> > which can be summarized as "please read the user's mind and find
> > out what they want". This is particularly difficult when the
> > user doesn't know what they want.
> > 
> > Remember, Debian isn't a laptop OS. Debian isn't a desktop OS.
> > Debian isn't a phone OS. Debian isn't a server OS. Debian isn't
> > a supercomputing OS. Debian isn't an embedded device OS.
> > 
> > Debian is a Universal OS.
> 
> I wouldn't say whatever you said, doesn't make sense. I wish there
> were an easier way to know about it when I started using the OS,
> something to warn me that I need to configure the firewall to suit my
> needs. Maybe because I came from a different OS where the defaults
> were stricter, my expectations about the defaults were different.

The naive user is not going to know what to make of this warning,
so it will be as useless as Proposition 65. If/when they learn what
a firewall is, they should probably turn their attention firstly to
their router and modem combination and their ISP (particularly if it
"owns" the said devices).

OTOH default packet filtering on Debian machines could lead to an
explosion of support queries. That probably suits commercial providers
as they can then charge for their responses. Here, it just increases
the list traffic.

But if you're serious, the normal way is to write a suitable paragraph
and submit it as a wishlist bug against the debian-installer. Then it
might be discussed by people more expert than me.

Cheers,
David.

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Brian 
On Fri 21 Sep 2018 at 23:37:11 +0530, Subhadip Ghosh wrote:

> 
> > You mean the Windows warning "Your system is not protected"?
> > 
> > How mature shouldone be to know what it means to use the internet?
> > 
> > Where this message should come from?
> The last thing I want is a Windows like warning. I expected more like a line
> in the Installation manual warning about the default firewall configuration.

That's a fair enough comment. Perhaps an inquiry to -doc and/or -boot
might elicit some response.

-- 
Brian.

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Brian 
On Fri 21 Sep 2018 at 21:32:45 +0300, Reco wrote:

>   Hi.
> 
> On Fri, Sep 21, 2018 at 07:14:03PM +0100, Brian wrote:
> > On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote:
> > 
> > >   Hi.
> > > 
> > > On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > > > Hi,
> > > > > 
> > > > > I am using Debian and the recently I learned that a standard Debian
> > > > > installation allows all 3 types of traffics especially incoming by 
> > > > > default.
> > > > > I know I can easily use iptables to tighten the rules but I wanted to 
> > > > > know
> > > > > the reasons behind the choice of this default behaviour and if it 
> > > > > makes the
> > > > > system more vulnerable? I tried searching on the Internet but did not 
> > > > > get
> > > > > any satisfactory explanation. It will be helpful if anybody knows the
> > > > > answers to my questions or can redirect me to a helpful document.
> > > > > 
> > > > 
> > > > The answer is easy. Because Debian is awesome (TM). So are most other
> > > > distributions.
> > > 
> > > Hear, hear.
> > > 
> > > > Run a netstat -t -l and you will see there is nothing listening. So 
> > > > what is
> > > > the point of running a firewall?
> > > 
> > > The point is to be a good netizen, as always. By running any sane kind of
> > > packet filter you're avoiding participating in TCP RST attack.
> > 
> > How do you do attack when (as Henning Follmann says) nothing is listening?
> 
> TCP RST attack requires exactly that. That, and an absence of a
> firewall.

You have given much food for thought. Thank you.
> 
> > There is no point with a standard Debian installation (which is what the
> > OP inquired about). Debian is already a good netizen.
> 
> Good person makes a TCP connection to unprotected (as in - no firewall
> interference) host. Since there's nothing on a host that does not listen
> appropriate TCP port - host's kernel sends back TCP RST packet.
> Good person's connection terminates, everyone's happy. That's how it
> goes in your typical LAN.
> 
> Evil person makes a TCP connection to unprotected host, but forges
> source IP. Host sends TCP RST to this forged IP, host acting as a
> 'reflector' to an attack. And being a bad netizen at the same time.
> 
> Evil person takes as many of such hosts as possible - and there goes
> your old-fashioned RST DDOS.
> 
> I recall that you've stated that your servers do not run any kind of
> packet filter. So, just in case - one cannot harm the reflector that
> way.

They don't. And, I still think the OP is fussing over nothing,

> So, in this regard Debian is imperfect, but at least they give you right
> tools to solve the problem (iptables suite), and do not force braindead
> firewall policies by default (like RHEL does).

If I used a packet filter I would want to base its use on some sensible.
Your post might help me to do it.

-- 
Brian.

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Reco 
Hi.

On Fri, Sep 21, 2018 at 07:14:03PM +0100, Brian wrote:
> On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote:
> 
> > Hi.
> > 
> > On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > > Hi,
> > > > 
> > > > I am using Debian and the recently I learned that a standard Debian
> > > > installation allows all 3 types of traffics especially incoming by 
> > > > default.
> > > > I know I can easily use iptables to tighten the rules but I wanted to 
> > > > know
> > > > the reasons behind the choice of this default behaviour and if it makes 
> > > > the
> > > > system more vulnerable? I tried searching on the Internet but did not 
> > > > get
> > > > any satisfactory explanation. It will be helpful if anybody knows the
> > > > answers to my questions or can redirect me to a helpful document.
> > > > 
> > > 
> > > The answer is easy. Because Debian is awesome (TM). So are most other
> > > distributions.
> > 
> > Hear, hear.
> > 
> > > Run a netstat -t -l and you will see there is nothing listening. So what 
> > > is
> > > the point of running a firewall?
> > 
> > The point is to be a good netizen, as always. By running any sane kind of
> > packet filter you're avoiding participating in TCP RST attack.
> 
> How do you do attack when (as Henning Follmann says) nothing is listening?

TCP RST attack requires exactly that. That, and an absence of a
firewall.

> There is no point with a standard Debian installation (which is what the
> OP inquired about). Debian is already a good netizen.

Good person makes a TCP connection to unprotected (as in - no firewall
interference) host. Since there's nothing on a host that does not listen
appropriate TCP port - host's kernel sends back TCP RST packet.
Good person's connection terminates, everyone's happy. That's how it
goes in your typical LAN.

Evil person makes a TCP connection to unprotected host, but forges
source IP. Host sends TCP RST to this forged IP, host acting as a
'reflector' to an attack. And being a bad netizen at the same time.

Evil person takes as many of such hosts as possible - and there goes
your old-fashioned RST DDOS.

I recall that you've stated that your servers do not run any kind of
packet filter. So, just in case - one cannot harm the reflector that
way.


So, in this regard Debian is imperfect, but at least they give you right
tools to solve the problem (iptables suite), and do not force braindead
firewall policies by default (like RHEL does).

Reco

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Brian 
On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote:

>   Hi.
> 
> On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > Hi,
> > > 
> > > I am using Debian and the recently I learned that a standard Debian
> > > installation allows all 3 types of traffics especially incoming by 
> > > default.
> > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > the reasons behind the choice of this default behaviour and if it makes 
> > > the
> > > system more vulnerable? I tried searching on the Internet but did not get
> > > any satisfactory explanation. It will be helpful if anybody knows the
> > > answers to my questions or can redirect me to a helpful document.
> > > 
> > 
> > The answer is easy. Because Debian is awesome (TM). So are most other
> > distributions.
> 
> Hear, hear.
> 
> > Run a netstat -t -l and you will see there is nothing listening. So what is
> > the point of running a firewall?
> 
> The point is to be a good netizen, as always. By running any sane kind of
> packet filter you're avoiding participating in TCP RST attack.

How do you do attack when (as Henning Follmann says) nothing is listening?
There is no point with a standard Debian installation (which is what the
OP inquired about). Debian is already a good netizen.

-- 
Brian.

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Subhadip Ghosh 




You mean the Windows warning "Your system is not protected"?

How mature shouldone be to know what it means to use the internet?

Where this message should come from?
The last thing I want is a Windows like warning. I expected more like a 
line in the Installation manual warning about the default firewall 
configuration.

Imagine I install 450MB debian as my firewall or server - no gui, or I
install debian with arbitrary desktop - who is going to do the warning.
If it is the installer, what should happen next - should I install something
or not and even if I install it and then I decide to use a different
solution - who is going to manage it?

It overcomplicates things.

I personally would be also glad to have some kind of handy firewall.
There is a firewall program that comes installed by default in Debian. 
It's called iptables.

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread deloptes 
Subhadip Ghosh wrote:

> something to
> warn me that I need to configure the firewall to suit my needs.

You mean the Windows warning "Your system is not protected"?

How mature shouldone be to know what it means to use the internet?

Where this message should come from?

Imagine I install 450MB debian as my firewall or server - no gui, or I
install debian with arbitrary desktop - who is going to do the warning.
If it is the installer, what should happen next - should I install something
or not and even if I install it and then I decide to use a different
solution - who is going to manage it?

It overcomplicates things.

I personally would be also glad to have some kind of handy firewall.

regards

netstat (was: Re: Why does Debian allow all incoming traffic by default)

2018-09-21 Thread rhkramer 
On Friday, September 21, 2018 08:55:21 AM Henning Follmann wrote:
> Run a netstat -t -l and you will see there is nothing listening. So what is
> the point of running a firewall?

I'm not the OP, but I decided to play along and run:


root@s19:~# netstat -t -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address State  
tcp0  0 localhost:smtp  *:* LISTEN 
tcp0  0 *:microsoft-ds  *:* LISTEN 
tcp0  0 *:netbios-ssn   *:* LISTEN 
tcp0  0 *:53647 *:* LISTEN 
tcp0  0 *:sunrpc*:* LISTEN 
tcp0  0 localhost:ipp   *:* LISTEN 


(This on my wheezy system.)

What is that telling me, and should I be worried.


> By default no services (ipp might be the one exception) are running and
> listening. So that's your security, just don't run what you don't need.
> 
> 
> -H

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Subhadip Ghosh 

Hi Roberto,

Blocking incoming and forwarded traffic would probably not be surprising
to many people.  However, blocking outgoint traffic would be exceedingly
confusing to many people.

Yep. Totally agreed.
https://www.debian.org/doc/manuals/debian-handbook/security.en.html 

Thanks.

While there is possibly an argument that not configuring a firewall by
default introduces some vulnerability, it is equally valid to argue that
there are no sensible default firewall policies that can be put into
place without a defined threat model.

I suspect that the vast majority of people deploying systems are doing
so behind some sort of device that provides border security to the local
network (e.g., router/firewall/NAT/etc.).  So, if the default threat
model is "a relatively trusted network with adequate border security"
then the current default is appropriate.

Those who deploy systems directly to a location where they are in
immediate contact with the public Internet should already understand the
ramifications of that decision and tailor their installation process
accordingly.


I don't disagree.

Thanks,
Subhadip

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Subhadip Ghosh 



Hi Dan,

The basic reason is this: it makes sense.

Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:

 - outbound: permit
 - forward: deny
 - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
   response to an outbound packet

Now, what should happen when a user installs an SSH daemon?
Should it automatically change the firewall? Of course,
otherwise everyone who installs SSH would discover that it
doesn't work.

How many packages now have to have scripts written to update the
firewall?

What happens when a user installs a multi-protocol daemon like
Dovecot? Does it automatically open POP, POP/S, IMAP and IMAP/S?
All of them? None of them?

There are an infinite number of questions to be asked, all of
which can be summarized as "please read the user's mind and find
out what they want". This is particularly difficult when the
user doesn't know what they want.

Remember, Debian isn't a laptop OS. Debian isn't a desktop OS.
Debian isn't a phone OS. Debian isn't a server OS. Debian isn't
a supercomputing OS. Debian isn't an embedded device OS.

Debian is a Universal OS.


I wouldn't say whatever you said, doesn't make sense. I wish there were 
an easier way to know about it when I started using the OS, something to 
warn me that I need to configure the firewall to suit my needs. Maybe 
because I came from a different OS where the defaults were stricter, my 
expectations about the defaults were different.


Thanks,
Subhadip

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Subhadip Ghosh 

Hi Pablo,

On 21/09/18 9:50 PM, Pablo Álvarez Córdoba wrote:


I do not know, but:
- By default there are no services listening (except in 127.0.0.1)
- A server is usually behind a router/firewall
- It is better that each user configure their system as they want, 
instead of having default values. Although it would be nice if the 
installer warns you that by default iptables does not have any rules.


Exactly my point. I don't mind configuring the firewall for myself but I 
do like to be warned about the defaults when the default policies are 
not much strict.


Thanks,
Subhadip

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Dan Ritter 
On Fri, Sep 21, 2018 at 09:02:26AM +0530, Subhadip Ghosh wrote:
> Hi Roberto,
> 
> On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote:
> > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > Hi,
> > > 
> > > I am using Debian and the recently I learned that a standard Debian
> > > installation allows all 3 types of traffics especially incoming by 
> > > default.
> > What do you mean by "all 3 types of traffics"?
> Incoming, Outgoing and Forward
> > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > the reasons behind the choice of this default behaviour and if it makes 
> > > the
> > > system more vulnerable?
> > The behavior you observe is likely because that is the best default that is
> > universally applicable.
> But does it make the system more vulnerable in any way to attacks over the
> network? And how will a new Debian user would know of this behaviour? I
> don't even see it mentioned on the Stretch Installation manual anywhere.
> > 
> > > I tried searching on the Internet but did not get
> > > any satisfactory explanation. It will be helpful if anybody knows the
> > > answers to my questions or can redirect me to a helpful document.
> > > 
> > Where did you search or what terms did you use?
> Search engines (Google and Duckduckgo). Search terms were similar to the
> email subject line. I also read the wiki on Debian Firewall where it says
> about the choice of defaults but not the reasons.

The basic reason is this: it makes sense.

Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:

- outbound: permit
- forward: deny
- inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
  response to an outbound packet

Now, what should happen when a user installs an SSH daemon?
Should it automatically change the firewall? Of course,
otherwise everyone who installs SSH would discover that it
doesn't work.

How many packages now have to have scripts written to update the
firewall?

What happens when a user installs a multi-protocol daemon like
Dovecot? Does it automatically open POP, POP/S, IMAP and IMAP/S?
All of them? None of them?

There are an infinite number of questions to be asked, all of
which can be summarized as "please read the user's mind and find
out what they want". This is particularly difficult when the
user doesn't know what they want.

Remember, Debian isn't a laptop OS. Debian isn't a desktop OS.
Debian isn't a phone OS. Debian isn't a server OS. Debian isn't
a supercomputing OS. Debian isn't an embedded device OS.

Debian is a Universal OS. 

-dsr-

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Reco 
Hi.

On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote:
> On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > Hi,
> > 
> > I am using Debian and the recently I learned that a standard Debian
> > installation allows all 3 types of traffics especially incoming by default.
> > I know I can easily use iptables to tighten the rules but I wanted to know
> > the reasons behind the choice of this default behaviour and if it makes the
> > system more vulnerable? I tried searching on the Internet but did not get
> > any satisfactory explanation. It will be helpful if anybody knows the
> > answers to my questions or can redirect me to a helpful document.
> > 
> 
> The answer is easy. Because Debian is awesome (TM). So are most other
> distributions.

Hear, hear.

> Run a netstat -t -l and you will see there is nothing listening. So what is
> the point of running a firewall?

The point is to be a good netizen, as always. By running any sane kind of
packet filter you're avoiding participating in TCP RST attack.

> By default no services (ipp might be the one exception) are running and
> listening.

Portmapper does - tcp 111.

Reco

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Pablo Álvarez Córdoba 

I do not know, but:
\- By default there are no services listening (except in 127.0.0.1)
\- A server is usually behind a router/firewall
\- It is better that each user configure their system as they want, instead of 
having default values. Although it would be nice if the installer warns you 
that by default iptables does not have any rules.





\ Mensaje original 
On 21 sept. 2018 5:04, Subhadip Ghosh < subhadip@gmail.com> escribió:

>
>
>
> Hi,
>
> I am using Debian and the recently I learned that a standard Debian
> installation allows all 3 types of traffics especially incoming by
> default. I know I can easily use iptables to tighten the rules but I
> wanted to know the reasons behind the choice of this default behaviour
> and if it makes the system more vulnerable? I tried searching on the
> Internet but did not get any satisfactory explanation. It will be
> helpful if anybody knows the answers to my questions or can redirect me
> to a helpful document.
>
> Thanks,
> Subhadip

publickey - pabloalvarezcordoba@protonmail.ch - 0x209A3FD7.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Why does Debian allow all incoming traffic by default

2018-09-21 Thread Henning Follmann 
On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> Hi,
> 
> I am using Debian and the recently I learned that a standard Debian
> installation allows all 3 types of traffics especially incoming by default.
> I know I can easily use iptables to tighten the rules but I wanted to know
> the reasons behind the choice of this default behaviour and if it makes the
> system more vulnerable? I tried searching on the Internet but did not get
> any satisfactory explanation. It will be helpful if anybody knows the
> answers to my questions or can redirect me to a helpful document.
> 

The answer is easy. Because Debian is awesome (TM). So are most other
distributions.
Run a netstat -t -l and you will see there is nothing listening. So what is
the point of running a firewall?
By default no services (ipp might be the one exception) are running and
listening. So that's your security, just don't run what you don't need.


-H



-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: Why does Debian allow all incoming traffic by default

2018-09-20 Thread deloptes 
Roberto C. Sánchez wrote:

> I suspect that the vast majority of people deploying systems are doing
> so behind some sort of device that provides border security to the local
> network (e.g., router/firewall/NAT/etc.).  So, if the default threat
> model is "a relatively trusted network with adequate border security"
> then the current default is appropriate.

I agree completely. The default policy in RedHat or CentOS is annoying. I
have to disable those every time after installation.

Re: Why does Debian allow all incoming traffic by default

2018-09-20 Thread Roberto C . Sánchez 
On Fri, Sep 21, 2018 at 09:02:26AM +0530, Subhadip Ghosh wrote:
> Hi Roberto,
> 
> On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote:
> > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > Hi,
> > > 
> > > I am using Debian and the recently I learned that a standard Debian
> > > installation allows all 3 types of traffics especially incoming by 
> > > default.
> > What do you mean by "all 3 types of traffics"?
> Incoming, Outgoing and Forward

I see.

Blocking incoming and forwarded traffic would probably not be surprising
to many people.  However, blocking outgoint traffic would be exceedingly
confusing to many people.

> > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > the reasons behind the choice of this default behaviour and if it makes 
> > > the
> > > system more vulnerable?
> > The behavior you observe is likely because that is the best default that is
> > universally applicable.
> But does it make the system more vulnerable in any way to attacks over the
> network? And how will a new Debian user would know of this behaviour? I
> don't even see it mentioned on the Stretch Installation manual anywhere.

I see.  Perhaps the Debian Administrator's Handbook, Chapter 14 is what
you are looking for:

https://www.debian.org/doc/manuals/debian-handbook/security.en.html

While there is possibly an argument that not configuring a firewall by
default introduces some vulnerability, it is equally valid to argue that
there are no sensible default firewall policies that can be put into
place without a defined threat model.

I suspect that the vast majority of people deploying systems are doing
so behind some sort of device that provides border security to the local
network (e.g., router/firewall/NAT/etc.).  So, if the default threat
model is "a relatively trusted network with adequate border security"
then the current default is appropriate.

Those who deploy systems directly to a location where they are in
immediate contact with the public Internet should already understand the
ramifications of that decision and tailor their installation process
accordingly.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Why does Debian allow all incoming traffic by default

2018-09-20 Thread Subhadip Ghosh 

Hi Roberto,

On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote:

On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:

Hi,

I am using Debian and the recently I learned that a standard Debian
installation allows all 3 types of traffics especially incoming by default.

What do you mean by "all 3 types of traffics"?

Incoming, Outgoing and Forward

I know I can easily use iptables to tighten the rules but I wanted to know
the reasons behind the choice of this default behaviour and if it makes the
system more vulnerable?

The behavior you observe is likely because that is the best default that is
universally applicable.
But does it make the system more vulnerable in any way to attacks over 
the network? And how will a new Debian user would know of this 
behaviour? I don't even see it mentioned on the Stretch Installation 
manual anywhere.



I tried searching on the Internet but did not get
any satisfactory explanation. It will be helpful if anybody knows the
answers to my questions or can redirect me to a helpful document.


Where did you search or what terms did you use?
Search engines (Google and Duckduckgo). Search terms were similar to the 
email subject line. I also read the wiki on Debian Firewall where it 
says about the choice of defaults but not the reasons.


Thanks,
Subhadip

Re: Why does Debian allow all incoming traffic by default

2018-09-20 Thread Roberto C . Sánchez 
On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> Hi,
> 
> I am using Debian and the recently I learned that a standard Debian
> installation allows all 3 types of traffics especially incoming by default.

What do you mean by "all 3 types of traffics"?

> I know I can easily use iptables to tighten the rules but I wanted to know
> the reasons behind the choice of this default behaviour and if it makes the
> system more vulnerable? 

The behavior you observe is likely because that is the best default that is
universally applicable.

> I tried searching on the Internet but did not get
> any satisfactory explanation. It will be helpful if anybody knows the
> answers to my questions or can redirect me to a helpful document.
> 
Where did you search or what terms did you use?

Regards,

-Roberto

-- 
Roberto C. Sánchez