[sf-lug] interlopers continued

Sun Jul 22 02:52:26 PDT 2007

Rick Moen wrote:
> Probably quite a few years ago, since the book's title _isn't_ 
> "The Wily Hacker".  (That's part of the subtitle.)
>   
I'll quote the ISBN for you next time so there's no confusion. 

> By definition, the only possible (primary, as opposed to traffic
> logging, etc.) function of iptables IP/port filtering is to block
> incoming, outgoing, or forwarded traffic.  The outgoing traffic is from
> authorised users (or, at least, if not, the owner has bigger problems).
> There is no forwarded traffic in this case (not a router).  Inbound
> traffic is physically possible only to the specific daemons the owner
> decided to run, and to make available to the public.  So, the only
> physically possible inbound traffic is what the owner specifically
> intended to be allowed.
>
> So, please, do tell us, what is the nature of the "defence" you believe
> gets added?  What specifically would you filter out, and why?
>   
You seem to forget about human error.  Obviously its because you're 
infallible  :)
But for most people, they do make mistakes.  Sometimes software is 
introduced without proper config, or the full consequences of running it 
being understood.  Obviously you are careful that this is not the case 
on your host.  I can't say 100% for sure, but I believe that for the 
average person out there using or trying out linux, they may not know 
which services are safe to have running on an open host or how to 
configure them so that they are safe.  In this case, a firewall will 
offer them some protection until they fix their erroneous configs and/or 
learn more about whats running on their box assuming they only open up 
the ports they need to have open.

You try and use your own host as an example of the general case when its 
not.  Most boxes are not admined by someone with your knowledge.  I 
still would maintain that for most people it makes sense to filter.
> I can't help noticing that you nowhere talk about a relevant response to
> a specific threat model.  Instead, you make a vague handwave about
> "defence in depth".  Pardon my frankness, but that's just a little sad.
>   
What the f^*% do you expect - I'm not going to write a 20 page essay 
talking about responses to various threat models - not unless someone 
wants to pay for it. 

You seem to love make mountains out of molehills.  All I did initially 
was suggest that maybe filtering could help but that "firewalls aren't a 
silver bullet and the services on your host should really be secured."   
Somehow you seem to have read this as me stating that everyone should 
have a firewall.