On 2023-04-29 14:07, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-29 08:54, Per Jessen wrote:
Carlos E. R. wrote:
Ah, found where I got the trick for acrobat:
] Date: Sun, 17 Apr 2005 18:52:27 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] In order to block that traffic you could make the acroread executable ] SGID 'acro' and then block all traffic coming from group 'acro'. ] Iptables has an option for doing this by using the --gid-owner option. ] Of course that works only with a local firewall.
Interesting. Well, thanks for the explanation, at least you can get rid of that now.
Yep. I had forgotten about it. Still, we can find out how it is translated to firewalld.
Might be good for laugh, I suppose. No doubt a rich rule.
Of course - the question is _why_ you chose to be so restrictive with traffic between your _own_ machines. I too restrict certain (groups of) machines, e.g. unknown wifi devices, but I would never go to the level of restricting individual intrnal machines.
Oh, I said that before: because I did not trust Telefónica router.
It sounds much more like you didn't trust your own machines.
I trusted existing machines, but not guest machines. I don't have a separate LAN for them. Even a machine on my Guest Wifi gets given an IP in the same LAN as every other machine. No way to separate them with my existing hardware. The only thing the guest wifi has is a different ssid and password, so you do not have to give the main one. And that guest password can be cycled.
They considered NAT to be all that was needed.
Which it almost certainly was. Did you have any traffic penetrate that NAT-wall ?
Not that I know, but hackers and script kiddies have their list of vulnerabilities to penetrate Telefónica routers. Do you know that all Telefónica routers use the same user, ie "1234" and is hardcoded? And back then, not 1754 but 2010 or thereabouts, used the same password? They just have to bombard a router from outside and try all possible passwords with 8 letters/numbers. If it is under attack, some models do not log the attempts. The current incumbent logs nothing at all whatsoever. Maybe that's why they refuse using fixed IPv6. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)