brent timothy saner via plug on 27 Jul 2021 16:28:10 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ufw doesn't block entrance from localhost

On 7/27/21 7:18 PM, Rich Freeman via plug wrote:
> On Tue, Jul 27, 2021 at 7:07 PM Michael Lazin via plug
> <> wrote:
>> It doesn't say anything about blocking ports on localhost.  I wonder if others have thought of this/does this look like an actual threat vector, or is this just a natural function of the design of systemd with no dangerous consequences?

This behaviour isn't systemd-specific. Most firewalls allow localhost
<=> localhost by default.

> Nothing about systemd necessitates allowing ALL traffic from localhost
> through to localhost.  You could just whitelist port 53 and whatever
> other services need broad access.  You could even allow DNS only for
> services that require it.
> I'd say that blocking traffic from localhost to localhost is not a
> typical default though.  I think it would be most valuable in more of
> a server environment, but in that sort of environment you should
> probably be containerizing everything anyway and using veth so that
> nothing can even see other unrelated services on localhost.
> Keep in mind that besides TCP/UDP access to local ports, services also
> commonly communicate through IPC sockets so be wary of those if you
> really don't want anything talking to anything else.  Those sockets
> can potentially be accessible via the filesystem.

Abstract sockets don't even need to exist on the filesystem (and, unlike
path-based IPC/UDS, you can't apply any permissions/ownership to them
whatsoever; they're available to all local users).

Ultimately, worrying about localhost <=> localhost network traffic
doesn't really make much sense because of ^ things like that.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --