Simplest eth0 between 2 PCs?

Discussion in 'Linux Networking' started by Unknown, Dec 30, 2013.

  1. Unknown

    Unknown Guest

    mc allows moving a dir-tree with 2 or 3 key-strokes.
    Our very different views are probably due to this being a networking
    group, and emphasising bulk delivery.
    OTOH my problems entail a dozen files, hopefully mostly in the same
    directory [of THAT project]. I don't want to remember names, when mc
    allows me to just *recognise* <yes, gime that one>.

    Your pov is the delivery-van load of items.
    My pov is the clerk at his desk with 8 docos open, and 2 more just
    arrived. Once I've identified the doco, I don't want to remember it's
    name. It's just <the small green one>.

    Names/verbalising are for communication between-people.
    mc/visualisation is easier and more efficient for self-communication.
     
    Unknown, Jan 1, 2014
    #21
    1. Advertisements

  2. Unknown

    detha Guest

    Yes, sensible ones. Allow icmp, and allow ssh access to further configure
    the machine.

    -d
     
    detha, Jan 1, 2014
    #22
    1. Advertisements

  3. Unknown

    detha Guest

    Don't know Mageia - from a quick look it seems to be one of the
    fluffy-fied distros that wants to be windows.

    'The odd firewall distro' referring to distributions that are primarily
    intended to be used as router/firewall, like Shorewall or Untangle.

    -d

    -d
     
    detha, Jan 1, 2014
    #23
  4. Unknown

    detha Guest

    That doesn't help in debugging routing problems - and as someone already
    said, once you are on the local segment there are tools like arping etc.,
    so it doesn't really add anything.

    Agreed that incoming icmp ping could at least be rate-limited at the
    perimeter firewall. But completely blocking all icmp breaks too much.

    Interesting tidbit: I encountered a firewall the other day that drops
    ICMP echo requests with an incorrect checksum in the ICMP header. Still
    have to investigate /why/ that incorrect checksum was there in the first
    place (something to do with upgrading to latest OpenBSD and NAT rules that
    don't exclude the case where the packet originates from local machine)

    -d
     
    detha, Jan 1, 2014
    #24
  5. Unknown

    Aragorn Guest

    Mageia is a Mandriva (formerly Mandrake) spin-off, and it is definitely
    not a Windows wannabe.

    Mandrake began its life as a RedHat clone with KDE added to it and with
    a more recent kernel, back in the days that KDE was still based upon
    non-free Qt libraries. Meanwhile - as of KDE 2.0 onward - KDE is based
    upon Qt libraries which satisfy the requirements of Free/Libre & Open
    Source Software, but RedHat continued to refuse to support KDE for a
    long time still after that and even engaged in KDE bashing campaigns.

    Since that time, Mandrake evolved and developed its own configuration
    and management tools, but it stayed true to what would later on become
    known as the Linux Standards Base. KDE has always been its preferred
    desktop environment, but GNOME and XFCE were also supported, as were all
    kinds of window managers, from twm and fvwm on to WindowMaker,
    AfterStep, BlackBox/FluxBox and even Enlightenment.

    Somewhere in the middle of the past decade, MandrakeSoft, which was a
    French-American distribution, merged with Conectiva, a South American
    distribution, and the merger became known as Mandriva. Mandriva as a
    corporation was heavily plagued by severe mismanagement, and over the
    years many developers were laid off. Eventually, at the end of the past
    decade, those developers had enough of the corporate mismanagement and
    decided to fork the distribution and release it as a community-developed
    distro only. There still is a great deal of similarity or even
    parallelism between Mandriva - which now aims more towards the corporate
    user and cloud services - and Mageia, but Mageia now survives on its own
    thanks to the community.

    Now, I personally don't like some decisions [*] made at Mageia with
    regard to the chosen upstream - which is still following RedHat - but
    referring to Mageia as a Windows-wannabe is doing it a great disservice.
    Also, it is one of the few distributions of which you will actually find
    developers and QA people in the distro-specific Usenet newsgroup - in
    casu, alt.os.linux.mageia.


    [*] The whole systemd/logind/journald thing, and especially the "/usr
    move", whereby /bin, /sbin and /lib become symbolic links to
    /usr/bin and /usr/lib respectively - /usr/sbin is also merged into
    /usr/bin - which makes it impossible to still boot the system
    without an initramfs - e.g. if you build your own kernel - when the
    population of /usr is not on the same filesystem as /.
     
    Aragorn, Jan 1, 2014
    #25
  6. Unknown

    Jorgen Grahn Guest

    But it seems to me that would just mean the bad guys switch to probing
    via TCP SYN instead, to the few ports they are interested in? Blocking
    ping seems useful if a small minority do it, not if every Windows box
    in the world does.
    Granted, such a machine would be harder to find, if you're picking a
    non-obvious non-standard port. On the other hand, OpenBSD's sshd is
    one of the few daemons I trust to be secure, so if that's all I intend
    to run I'm not imclined to try to hide it.

    /Jorgen
     
    Jorgen Grahn, Jan 1, 2014
    #26
  7. Unknown

    detha Guest

    There is one case where hiding sshd makes sense: if the internet link is
    usage-capped, with a low cap and relatively high speed. Brute-forcers can
    burn through that cap at a rapid pace.

    -d
     
    detha, Jan 1, 2014
    #27
  8. Unknown

    David Brown Guest

    That is correct, and the "value" of blocking ICMP decreases over time.
    It certainly used to be the case that dropping pings would greatly
    reduce your chances of being attacked, since scripts would ping first
    before checking other ports. I am confident that some scripts (or bad
    guys) will go straight to port 80, port 22, etc., and skip the ping.
    But I don't know of any statistics here - it would be interesting to get
    an idea of the numbers.
    Certainly hiding does not increase its security - if you've got bad
    passwords or other weaknesses in your daemons, hiding does not help.

    The hiding - whether it be with non-standard ports or with dropping
    pings - is about avoiding getting an attack, rather than about surviving
    an attack. It means less resource usage for you (such as wasted
    bandwidth), fewer log lines to wade through looking for /real/ problems,
    and a smaller chance of being unlucky or being hit by newly discovered
    vulnerabilities. You are simply encouraging the bad guys to move on to
    easier targets.

    It also gives you the possibility of setting up more sophisticated
    firewalls and intrusion detection - if you know that your ssh is not on
    port 22, and that anyone with a valid reason for ssh'ing into your
    system also knows that, then any IP address hitting port 22 can be
    immediately blacklisted. (Of course, that's going to annoy you the
    first time you forget to specify the port when ssh'ing yourself...)
    Similarly, you can detect various types of scans and use that for
    blacklisting.

    Of course, it is a bit of an arms race - the bad guys then have to make
    more sophisticated scans to avoid detection, and so on. But if you are
    ahead of the masses, the bad guys will go for easier targets.
     
    David Brown, Jan 1, 2014
    #28
  9. Unknown

    Chris Davies Guest

    Debian with no "tasksel" options chosen results in a minimal working
    system. No firewall, but no listening services either. Perfect starting
    point for installation of server-centric applications and services (yes,
    including a firewall layer of my choice).

    Chris
     
    Chris Davies, Jan 1, 2014
    #29
  10. Unknown

    unruh Guest

    It is nice to live in a world in which your assumptions are always
    facts, isn't it.
     
    unruh, Jan 1, 2014
    #30
  11. Unknown

    Jorgen Grahn Guest

    No, just grumpy. Sorry.
    That's a much more sensible statement.

    My recent experience is limited to Debian, and it doesn't do this. It
    will configure networking, and then it's up to you if you want a
    firewall. (I use pure iptables myself, but I don't try to hide myself
    using it.)

    /Jorgen
     
    Jorgen Grahn, Jan 2, 2014
    #31
  12. No, he's saying the specialized distributions intended as firewalls would
    have just about everything turned off. That makes sense, if it's to put a
    firewall on a separate machine, you are heavy duty, and want everything
    blocked until you tell it otherwise.

    I don't have experience with other distributions, but it doesn't seem like
    the firewall is the default here.

    Michael
     
    Michael Black, Jan 14, 2014
    #32
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.