Originally Posted by TheFu Security is about layers. The first layer is always in the network, preventing access to attackers that don't have any need to have access. Home user's aren't banks. Avahi isn't really something that can be "authenticated", at least not today, so the best we can do is to prevent access by other clients outside the expected LAN. Of course, other protocols and tools DO support key-based authentication. Use keys/certs whenever possible. Avoid passwords when possible, but sometimes that's all we have available. Attackers already don't have access to internal networks due to NAT: that IS the security defense against outside threats. No one can reach your computer from the Internet unless you enable port forwarding or other means of access explicitely. Originally Posted by TheFu BTW, you may notice that in my firewall rules, port 443 isn't open, so the only way that access would be allowed is if I'm running a web-clients that is accessing a remote server and opens a connection. 3rd parties don't get to ride that connection. They are blocked unlike with many home routers. Linux firewalls aren't THAT dumb. I don't understsand what this means. Linux firewalls ARE that dumb. They are not layer 7; they have no idea what application is talking to what. They know ports and IP addresses, that's it. When you open your firewall for "accessing a remote server", so does the malware. This is all, by the way, assuming the malware doesn't have root (which is trivial to get on Linux) and just ignores your firewall altogether. Originally Posted by TheFu For example, here's a 3rd party trying to piggyback on a request, but being blocked ... Code: May 28 09:28:50 hadar kernel: [859693.112304] [UFW BLOCK] IN=br0 OUT= MAC=0c:9d:92:87:ce:13:00:0d:b9:41:67:05:08:00 SRC=213.186.33.19 DST=172.22.22.6 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=48698 DF PROTO=TCP SPT=443 DPT=33398 WINDOW=18 RES=0x00 ACK URGP=0 What's hilarious about this example is you're actually showing a return packet from a server being blocked to you. Which means your computer has already sent a packet to that server, which you allegedly "block". Oops! Originally Posted by TheFu This is an example for why we need both the router firewall AND the on-system, software firewall enabled. BTW, my router isn't a dumb consumer router, but clearly, it isn't blocking everything unwanted. If it was, then the desktop system would never have seen the request from OVH and needed to block it. Layers of security. That's the plan. Layers of security which make sense. Having two firewalls, with one of them on a device behind a trusted NAT, makes zero sense. It is the equivalent of using multiple full disk encryption methods when LUKS does a fine job. Sorry, but you have not demonstrated the value of the same to me. Originally Posted by TheFu For services that do have authentication, say ssh, preventing outsiders may not be needed, but there have been bugs, so I use tcp-wrappers and ssh-keys, in addition to the firewall blocks. I'm a belts AND suspenders person. I assume I'll make a human mistake from time to time and want the other layers of security to protect the service for those occasions. Okay, but where is the limit? Why not have three layers of security, or four, or five? Because of diminishing returns, added complexity and possibly even increased attack surface from it. Originally Posted by TheFu I also run a VPN for remote access rather than allowing things like NextCloud to sit on the internet. No VPN? No access to our family nextcloud server. Of course, inside the trusted, wired, network things different. However, wifi systems inside the building still have to use the VPN to authenticate to the network first. I know that wifi cannot be trusted. It has been proven over and over. Don't get me started about Bluetooth. Just-don't-use-it. They have marketing people who smile way too much, perhaps because they know how bad the security of it is. IDK. Belts and suspenders. That's great, and for remote access those tools have a place. We're discussing a machine on a trusted local network behind a NAT that's not running any public services. It does not need a firewall applied.
May 28 09:28:50 hadar kernel: [859693.112304] [UFW BLOCK] IN=br0 OUT= MAC=0c:9d:92:87:ce:13:00:0d:b9:41:67:05:08:00 SRC=213.186.33.19 DST=172.22.22.6 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=48698 DF PROTO=TCP SPT=443 DPT=33398 WINDOW=18 RES=0x00 ACK URGP=0
Ubuntu Forums Code of Conduct