On Sunday, February 23, 2020 4:45:55 AM MST Tim via users wrote:
On Sun, 2020-02-23 at 09:56 +0800, Ed Greshko wrote:
> your IPv4 address is also a Public IP address the same way the IPv6
> address is. Directly connected to the Internet with no NAT. Also,
> your modem does not have an internal Firewall. Therefore, the
> firewall on your system is vital.
I'd say it's even *more* vital that if you run any services (SSH, mail,
FTP, HTTP, DNS, etc), that you configure them securely, than rely on a
firewall to protect them.
e.g. If you ran a test webserver, but didn't intend to serve it to the
WWW, then you'd configure the test webserver to only listen to internal
addresses/interfaces. Likewise with any other server that you don't
intend to be externally accessible.
I've watched someone (albeit on Windows) get hacked 4 seconds after
connecting to the internet, several times in a row. But the
principal's the same, no matter what OS (flaws exist that you don't
know about). And asshats are continually trying to get it.
Dropping a firewall to test something is something that a lot of people
will do, but isn't something you'd want to do if you couldn't trust all
your services to protect themselves. And there's no safe time period
that you can get away with momentarily dropping one.
The defaults for SSH are "good enough", you can't reasonably expect every
user
to only use ed25519, key exchange, limit ciphers, MACs and KexAlgorithms.
As for mail, FTP, DNS, web servers, these are not installed by default. If the
user installs them, the user will likely be able to figure out how to
configure them.
As for dropping the firewall, it's fine to drop the firewall temporarily if
you're on an airgapped network, or if you're on a trusted network that
enforces a firewall between you and a WAN and disallows unknown devices from
connecting.
--
John M. Harris, Jr.
Splentity