On Saturday 22 September 2018 10:52:40 Pascal Hambourg wrote: > Le 22/09/2018 à 13:31, Dan Ritter a écrit : > > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote: > >> I do not see how all this replies to my question : > > This comment was intended to Gene Heskett. > > >> Why should only TCP inbound responses be allowed ? What about > >> UDP-based protocols, ping replies (ICMP echo reply), ICMP error > >> messages, and so on ? > > > > Given that my entire point was that no firewall policy other > > than "configure it yourself" will work, it's really you missing > > the point to expect me to describe a complete firewall policy tuned > > to your desires. > > It does not matter what you entire point was, and I do not expect you > to describe a complete firewall policy. *You* exposed a supposedly > default firewall policy which I happened to find questionable, so I > questioned it. > > You would not have exposed a broken firewall policy on purpose in > order to prove your point, would you ?
The point I was trying to make is that in close to 2 decades of my somewhat volatile home setup all on a 192.168.nn.nn address, and with the exception in my sig being the only forward in the dd-wrt rules, and apache2 is running in a sandbox to serve my web page, the only person to gain access to this network and machine was given the username and password to do so by me. My only problem has been someone else logging into one of the wifi's, which are not bridged to this net, but to the internet, and using up more bandwidth in a month than I do. Still under my cap by quite a ways, but... So since I don't use the radios. ATM all the radios are turned off, they aren't needed until one of my boys comes to visit with a smartphone and needs net access. Take it for what you think its worth. It does work for me. IMO, those without a reflashed router running dd-wrt or one of the work-a-likes between their machines and the internet, running all their machine on un-routable addresses, is a bit dumb, asking for trouble, and it will find them sooner rather than later unless they've built their own firewall. Yes, there are $35 routers that can be updated to dd-wrt, I have such a netgear. But dd-wrt has stuff there is not room for in the more memory limited $35 model, 100% configurable port forwarding being on the missing list, so the netgear has logged a couple weeks when the buffalo got forgetfull. Take care Pascal. -- Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
