On Tue, 25 Jan 2011 21:58:02 +0000 Joe <j...@jretrading.com> wrote: > On Tue, 25 Jan 2011 15:00:36 -0500 > Celejar <cele...@gmail.com> wrote: > > > On Tue, 25 Jan 2011 12:51:15 +0000 (UTC) > > Camaleón <noela...@gmail.com> wrote: > > > >> > > > > In this scenario, the "LAN" and the "WAN" are at the same "hostile" > > > level and so both should be treated. Why should you accept > > > incomming ssh traffic from the "hostile lan/wan"? I shouldn't... > > > unless: > > > > Exactly my point - that personal firewall 'profiles' are less useful > > than they might appear at first blush, since you pretty much need to > > treat all traffic, even 'local' traffic, as dangerous when behind a > > NAT router. > > > > A laptop will not normally be offering services, so a very basic
My laptop offers lots of services: ~# nmap localhost Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-25 18:49 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000022s latency). Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1 rDNS record for 127.0.0.1: localhost.localdomain Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 631/tcp open ipp 3128/tcp open squid-http 9999/tcp open abyss Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds [ssh, Exim, dnsmasq, CUPS, privoxy, approx] although it can be argued that most of these are intended for use by localhost only, so we can / should block all remote access to them. > iptables setup should be adequate everywhere. I have a second profile > which allows only DHCP, DNS and VPN packets out to the LAN, and once a > VPN is established, DNS goes over it anyway and the default gateway > switches to the VPN server. > > This is pretty much equivalent to the Windows 'send all traffic via the > remote server' option, and I use it both on foreign LANs and on mobile > Internet if I need to do anything sensitive. If I just want email > access, ssh into my server is enough, using the standard profile. > > All the public wi-fi systems I've tried seem to block most protocols, so > neither ssh nor VPN is possible, and I've given up trying them. Maybe > I'm paranoid, but every time I read about some obscure, devious attack > technique that I would never have believed possible, or exploitable > software bug, I get that little bit more paranoid... > > I use RADIUS/EAP-TLS at home, but I can see how that might not be > practical in a pub or cafe. Interesting, thanks. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110125222635.2c097ed7.cele...@gmail.com