Re: [PLUG] ufw doesn't block entrance from localhost

brent timothy saner via plug on 27 Jul 2021 16:28:10 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ufw doesn't block entrance from localhost

From: brent timothy saner via plug <plug@lists.phillylinux.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] ufw doesn't block entrance from localhost
Date: Tue, 27 Jul 2021 19:28:02 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=4uV52JIYCKaV+nCHfuILojxW3XK+mQLNwbf/buQrSR0=; b=FKuiI8kzkLzaBfsoJBSXIkhYVv0BK7rFpkTZv8YVaH/JSm2yfxIhOINqtERLe7FWya oSP3GsB/bOIsEgEXPLd8YMMsXXljarWefzYA7V8tRwyVc6ebXuPa22aG0eDQh5ONALN3 XNZBTcR/g4YqR+Hdfs+DH6p37B6ymAu1siN/TqZX6cDVqgw8yxHJxGEjt7GQ0XhMn70H CDYPQQj0jQjUWH+18aPtBpMaR4vwpUctT7wUjBaDfmjgWeEeB2dqqLl7rnbyFqM5TJrZ jYf8KGJHaLzApBy+cQsLF12sdDF2afNgMUAjMeyB2T/+1kmLEhSLW9R3LOhEJDDPtIUp Ma1A==
Reply-to: brent timothy saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0

On 7/27/21 7:18 PM, Rich Freeman via plug wrote:
> On Tue, Jul 27, 2021 at 7:07 PM Michael Lazin via plug
> <plug@lists.phillylinux.org> wrote:
>>
>> It doesn't say anything about blocking ports on localhost.  I wonder if others have thought of this/does this look like an actual threat vector, or is this just a natural function of the design of systemd with no dangerous consequences?
> 

This behaviour isn't systemd-specific. Most firewalls allow localhost
<=> localhost by default.

> Nothing about systemd necessitates allowing ALL traffic from localhost
> through to localhost.  You could just whitelist port 53 and whatever
> other services need broad access.  You could even allow DNS only for
> services that require it.
> 
> I'd say that blocking traffic from localhost to localhost is not a
> typical default though.  I think it would be most valuable in more of
> a server environment, but in that sort of environment you should
> probably be containerizing everything anyway and using veth so that
> nothing can even see other unrelated services on localhost.
> 
> Keep in mind that besides TCP/UDP access to local ports, services also
> commonly communicate through IPC sockets so be wary of those if you
> really don't want anything talking to anything else.  Those sockets
> can potentially be accessible via the filesystem.
> 

Abstract sockets don't even need to exist on the filesystem (and, unlike
path-based IPC/UDS, you can't apply any permissions/ownership to them
whatsoever; they're available to all local users).

https://utcc.utoronto.ca/~cks/space/blog/linux/SocketAbstractNamespace

Ultimately, worrying about localhost <=> localhost network traffic
doesn't really make much sense because of ^ things like that.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] ufw doesn't block entrance from localhost
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>
- Re: [PLUG] ufw doesn't block entrance from localhost
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] ufw doesn't block entrance from localhost
Next by Date: [PLUG] slightly off topic, possible privacy issues with JavaScript
Previous by thread: Re: [PLUG] ufw doesn't block entrance from localhost
Next by thread: [PLUG] slightly off topic, possible privacy issues with JavaScript
Index(es):
- Date
- Thread