On Sat, Sep 22, 2018 at 04:52:40PM +0200, Pascal Hambourg wrote: > Le 22/09/2018 à 13:31, Dan Ritter a écrit : > > On Sat, Sep 22, 2018 at 12:55:24PM +0200, Pascal Hambourg wrote: > > > I do not see how all this replies to my question : > > This comment was intended to Gene Heskett. > > > > Why should only TCP inbound responses be allowed ? What about UDP-based > > > protocols, ping replies (ICMP echo reply), ICMP error messages, and so on > > > ? > > > > Given that my entire point was that no firewall policy other > > than "configure it yourself" will work, it's really you missing > > the point to expect me to describe a complete firewall policy tuned > > to your desires. > > It does not matter what you entire point was, and I do not expect you to > describe a complete firewall policy. *You* exposed a supposedly default > firewall policy which I happened to find questionable, so I questioned it.
You should certainly find it questionable, > You would not have exposed a broken firewall policy on purpose in order to > prove your point, would you ? Wouldn't I? I am explicitly describing a firewire policy for the sake of argument, and in no way advocating it. In fact, the ENTIRE FREAKING POINT WHICH I HAVE MADE TWICE NOW is that I am *not* advocating it. Do not use this firewall policy. If Debian were to do the stupid thing of instituting a default firewall policy other than what it doesn't do now, I would hope for a several month long debate in debian-developers about what it should be. -dsr-
