Rich Freeman via plug on 27 Jul 2021 16:19:02 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ufw doesn't block entrance from localhost

On Tue, Jul 27, 2021 at 7:07 PM Michael Lazin via plug
<> wrote:
> It doesn't say anything about blocking ports on localhost.  I wonder if others have thought of this/does this look like an actual threat vector, or is this just a natural function of the design of systemd with no dangerous consequences?

Nothing about systemd necessitates allowing ALL traffic from localhost
through to localhost.  You could just whitelist port 53 and whatever
other services need broad access.  You could even allow DNS only for
services that require it.

I'd say that blocking traffic from localhost to localhost is not a
typical default though.  I think it would be most valuable in more of
a server environment, but in that sort of environment you should
probably be containerizing everything anyway and using veth so that
nothing can even see other unrelated services on localhost.

Keep in mind that besides TCP/UDP access to local ports, services also
commonly communicate through IPC sockets so be wary of those if you
really don't want anything talking to anything else.  Those sockets
can potentially be accessible via the filesystem.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --