On Vi, 25 sep 20, 10:23:43, Michael Stone wrote: > On Fri, Sep 25, 2020 at 09:01:26AM -0400, Gene Heskett wrote: > > Your paranoia is excessive. I have 5 machines online ATM, but they are > > all on a local network in the 1902.168.xx.xx block, which is NOT > > routable from the internet but are NAT'd to my net address by having
NAT is just a nuisance, in *both* directions. > > such a setup in a router running dd-wrt. In nearly 2 decades, no one has > > come into my systems from the internet that I didn't give the > > credentials to do so. > > You post this all the time, but it's irrelevant at best and misleading at > worst. On a default debian system these days an external firewall is > basically a noop because there are no services listening. Well, besides exim (still installed by default as far as I know), CUPS (probably pulled by most DEs) and SSH server (quite common for many users), plenty of other softwares are listening on some port, e.g. mpd, syncthing (web interface), qbittorrent-nox (web interface), barrier, just to name a few. Most of these have some sort of password protection available, which may or may not be enabled by default, assuming it's even reasonably secure. A firewall does provide and additional layer of protection for them. > The attack vector > in modern environments is much more likely to be client exploits (e.g., web > browser) and a perimeter firewall adds zero protection from that threat. Agreed. > And, honestly, most people who are compromised have no clue that they are > unless someone tells them. Agreed as well. > Telling people that all they need to do is install a perimeter firewall and > then they're secure is simply wrong. Yep. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature
