On Fri 21 Sep 2018 at 21:32:45 +0300, Reco wrote: > Hi. > > On Fri, Sep 21, 2018 at 07:14:03PM +0100, Brian wrote: > > On Fri 21 Sep 2018 at 19:25:22 +0300, Reco wrote: > > > > > Hi. > > > > > > On Fri, Sep 21, 2018 at 08:55:21AM -0400, Henning Follmann wrote: > > > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote: > > > > > Hi, > > > > > > > > > > I am using Debian and the recently I learned that a standard Debian > > > > > installation allows all 3 types of traffics especially incoming by > > > > > default. > > > > > I know I can easily use iptables to tighten the rules but I wanted to > > > > > know > > > > > the reasons behind the choice of this default behaviour and if it > > > > > makes the > > > > > system more vulnerable? I tried searching on the Internet but did not > > > > > get > > > > > any satisfactory explanation. It will be helpful if anybody knows the > > > > > answers to my questions or can redirect me to a helpful document. > > > > > > > > > > > > > The answer is easy. Because Debian is awesome (TM). So are most other > > > > distributions. > > > > > > Hear, hear. > > > > > > > Run a netstat -t -l and you will see there is nothing listening. So > > > > what is > > > > the point of running a firewall? > > > > > > The point is to be a good netizen, as always. By running any sane kind of > > > packet filter you're avoiding participating in TCP RST attack. > > > > How do you do attack when (as Henning Follmann says) nothing is listening? > > TCP RST attack requires exactly that. That, and an absence of a > firewall.
You have given much food for thought. Thank you. > > > There is no point with a standard Debian installation (which is what the > > OP inquired about). Debian is already a good netizen. > > Good person makes a TCP connection to unprotected (as in - no firewall > interference) host. Since there's nothing on a host that does not listen > appropriate TCP port - host's kernel sends back TCP RST packet. > Good person's connection terminates, everyone's happy. That's how it > goes in your typical LAN. > > Evil person makes a TCP connection to unprotected host, but forges > source IP. Host sends TCP RST to this forged IP, host acting as a > 'reflector' to an attack. And being a bad netizen at the same time. > > Evil person takes as many of such hosts as possible - and there goes > your old-fashioned RST DDOS. > > I recall that you've stated that your servers do not run any kind of > packet filter. So, just in case - one cannot harm the reflector that > way. They don't. And, I still think the OP is fussing over nothing, > So, in this regard Debian is imperfect, but at least they give you right > tools to solve the problem (iptables suite), and do not force braindead > firewall policies by default (like RHEL does). If I used a packet filter I would want to base its use on some sensible. Your post might help me to do it. -- Brian.
