On Tue, 25 Jan 2011 12:51:15 +0000 (UTC) Camaleón <noela...@gmail.com> wrote:
> On Mon, 24 Jan 2011 15:57:33 -0500, Celejar wrote: > > > On Fri, 7 Jan 2011 19:51:59 +0000 (UTC) Camaleón wrote: > > > >> Open wifi hot-spots (or open networks) are dangerous because all your > >> "neighbors" can represent a potential security risk (they have > >> "physical" access to your machine), meaning that you should enforce > >> your computer firewall rules to treat all of the LAN computers as > >> "untrusted" hosts which BTW is not the normal behavior of a firewall > >> (in a LAN environment, internal hosts are the "good" guys and rules are > >> relaxed for the whole LAN machines). > >> > >> For that precisely purpose there are firewall "profiles", to harden > >> policies when going through open networks (aka: close all ports, do not > >> allow traffic from any machine to my host and monitor all the traffic > >> going in/out... alias: heads-up!). > > > > From your last paragraph, it sounds like you're talking about a > > 'personal' firewall - i.e., one running on your laptop. > > Yes. > > > But if so, it can actually get pretty tricky to distinguish between > > traffic from the LAN and from the big, bad WWW, since your gateway > > router is probably doing NAT on incoming traffic. IOW, how do you tell > > the firewall "accept ssh connections from the LAN but not from the > > 'net", when the 'net connections have been NATed to look like they're > > originating from the LAN? > > In this scenario, the "LAN" and the "WAN" are at the same "hostile" level > and so both should be treated. Why should you accept incomming ssh > traffic from the "hostile lan/wan"? I shouldn't... unless: Exactly my point - that personal firewall 'profiles' are less useful than they might appear at first blush, since you pretty much need to treat all traffic, even 'local' traffic, as dangerous when behind a NAT router. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110125150036.3fa2c090.cele...@gmail.com
