Thanks for the response - replies inline On Wed, Oct 9, 2024 at 4:48 PM Dan Ritter wrote: > > Lee wrote: > > There was this bit in the debian-devel mailing list > > > > >> To make this happen for trixie, I don't see how to do it. Anyone having > > >> the old 'signify' package on their system would get OpenBSD's signify > > >> instead of the new 'signify-mail' package after an upgrade. Is that > > >> problem really worth caring about? > > >No: popcon == 58. > > > > If you don't have popcon enabled, why not? > > > > I have it enabled and I'm not seeing a real downside to having it > > enabled. What am I missing? > > A security policy that requires a good reason to enable contact > in either direction across a firewall.
Wow! I tried restricting outbound connections and, except for IOT stuff that's still restricted, ended up just logging the 'out-of-the-ordinary' destination ports. I even review the logs occasionally :) I allow traceroute in because debugging network problems without it is a pain + dhcp for the firewall + the ipv6 goop required for the firewall to get ip addresses. And then responses to outbound traffic is allowed in (I'd block some of that but the stupid ass firewall doesn't allow blocking incoming responses to outbound traffic) I had a server running on a 32-bit pentium. I wanted support, so I thought keeping the popcon numbers up for 32-bit processors was a good enough reason to enable popcon. That server has been replaced by one with a 64-bit processor, but I still think keeping the popcon numbers up for packages I use is a good enough reason to enable popcon. I totally agree with the "default deny" policy, but if you're keeping your machines patched, is it really just not seeing the worth in keeping the popcon numbers up for packages you use not a good enough reason for enabling popcon? (not that paranoia is a _bad_ thing - I have maybe more than normal regarding networking, but as long as you're regularly patching I'm just not seeing a good reason to disable popcon) > That's a set of boxes between 100 and 1000 that I'm responsible > for, all running Debian. > > In general, the people who enable popcon are more likely to have > laptops than desktops, and much more likely to run on a desktop > than on a server. They are more likely to be in charge of 1-10 > machines, all with haphazard policies, than in charge of a fleet > of machines with a unified policy. The under 10 machines is me:) And I'm not good with policy enforcement on individual machines - especially the wifes' PCs and all the iMachines in the house :) I depend on the firewall to do my policy enforcement. Thanks, Lee
