| Rich Freeman via plug on 27 Jul 2021 16:19:02 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] ufw doesn't block entrance from localhost |
On Tue, Jul 27, 2021 at 7:07 PM Michael Lazin via plug <plug@lists.phillylinux.org> wrote: > > It doesn't say anything about blocking ports on localhost. I wonder if others have thought of this/does this look like an actual threat vector, or is this just a natural function of the design of systemd with no dangerous consequences? Nothing about systemd necessitates allowing ALL traffic from localhost through to localhost. You could just whitelist port 53 and whatever other services need broad access. You could even allow DNS only for services that require it. I'd say that blocking traffic from localhost to localhost is not a typical default though. I think it would be most valuable in more of a server environment, but in that sort of environment you should probably be containerizing everything anyway and using veth so that nothing can even see other unrelated services on localhost. Keep in mind that besides TCP/UDP access to local ports, services also commonly communicate through IPC sockets so be wary of those if you really don't want anything talking to anything else. Those sockets can potentially be accessible via the filesystem. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug