On Saturday 22 September 2018 03:34:45 Pascal Hambourg wrote: > Le 21/09/2018 à 19:09, Dan Ritter a écrit : > > Let's suppose Debian installs a basic firewall by default. How > > basic? Let's say: > > > > - outbound: permit > > - forward: deny > > - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a > > response to an outbound packet > > Why should unsolicited NTP, DHCP and DNS inbound packets be allowed ? > Because you can set an ntp corrected machine as a broadcaster, therefore reducing the load on the tier 2 servers such as debian maintains by using their pool.debian.org or the tier 1 servers at pool.ntp.org. That way I have 7 machines here, all synchronized to the first or 2nd tier of time servers on the planet. This machine is a slave to my router, it broadcasts to the other 6 machines, so I have all synched and well within a millisecond.
One could use his main machine that way. Some routers can also serve as servers, dd-wrt installed on a Buffalo NetFinity can also do this. So it has become the broadcaster to my all natted home network. I finally did that conversion last spring, cutting out the 2nd npt request traffic. > Why should only TCP inbound responses be allowed ? What about > UDP-based protocols, ping replies (ICMP echo reply), ICMP error > messages, and so on ? I probably should have iptables running on all my machines, but in 15 years, only one person as gotten thru dd-wrt to this machine, and I had to give him the login credentials, I needed help configuring something, on a long since replaced fedora install. So there is no firewall enabled on any of the machines here. And because everytime Andrew Triggel sits down at a keyboard cifs dies, same for NFS, I've found that ssh and sshfs as local networking tools Just Work, so I don't have to putz near as much with access maintenance. No NFS shares, no sammba/cifs shares. And life is so much simpler. Computers should work for you, not the other way around, forcing you to remember how to push 17 buttons just to answer an incoming email. This message only required 1 button click and all this typing. Everything else is handled automatically by scripts. -- Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
