[AusNOG] IPv6 excuses

Peter Fern ausnog at 0xc0dedbad.com
Sat May 28 10:38:23 EST 2016


On 05/27/16 17:10, Mark Andrews wrote:
> OSX has the host firewall on by default.

Did that happen some time in the last 12 months?  This certainly wasn't
the case last time I checked.

>   Linux has host firewall
> and depending upon the distro it many be on or off by default.  In
> reality you don't need a host firewall for most things.  A simple
> acl after accept is enough as you only have a single port open if
> any at all.

The majority of Linux desktop distributions don't enable a host
firewall, on server distributions, it's about an even split.  Ports open
obviously depends on software installed and enabled.  ACLs or host
firewalls need to be explicitly configured, desktop users may not even
know what's running after package X pulls in dependency Y.

> e.g. TV's don't need to be listening on the net.

They don't need to be, but are they?  Now TVs support all sorts of
streaming protocols, etc.  I have no idea what the quality of code is
like on TV firmware.  And you can add streaming boxes, light bulbs, IoT,
etc to the list.

> What is needed is to build with concept that there is a hostile
> environment out there and to validate all inputs before otherwise
> using them.
>
> This is what we do with BIND.  We code assuming that there is nothing
> between the server and the rest of the world.  We have machines
> continually attempting to break it.  We issue advisaries when we
> find a issue.  We assume there are blackhats inspecting every change
> we make in a attempt to find a way in.  We also have thousands of
> internal consistancy checks.

And this is a great philosophy, but how many developers/projects do you
think adhere to it?

> If the ISP supplies the CPE then they need to source a CPE with
> equivalent functionality which do exist. 

Indeed, and this is why my original question was, "What do the default
firewalls look like on those modems [sic]?"

>>>  If manufacturers are selling consumer equipement that is incapable of
>>> being exposed to the net directly they should be being fined for
>>> selling substandard products and be forced to recall / provide updates.  
>> Except that this is far removed from reality.
> It shouldn't be.  We have strong consumer protection laws in this
> country and we pay a premium for this.

Sure, but the fact is that there are more and more IP-enabled devices
appearing in people's homes, and developer's skill/commitment to
security varies wildly, and plenty of those devices simply *aren't*
built or configured to be safely exposed to the Internet (partly fueled
by the ubiquity of NAT for the last decade or more).  Wishing it wasn't
so doesn't change the reality.

IMO it's just safer for end users to firewall at the CPE.


More information about the AusNOG mailing list