is your firewall blocking all ipv6?
are you sure?
Conversation
No, but some people are using the network layer as access control and don't understand IPv6 so they block it instead. 🤬🤦
4
2
22
There's some legitimate for host-based firewalls such as avoiding accidental exposed services, determining which applications/services can use the network and access control for services only able to listen on loopback instead of a Unix domain socket.
2
2
I even consider use of no-auth loopback as unacceptable "network layer as access control". It breaks all privilege separation on the host.
1
1
9
We consider it unacceptable which is why we disable listening on loopback for as many services as possible (MariaDB, PostgreSQL) and implement uid-based access control for stuff not supporting that via nftables as a workaround for software deficiencies.
MariaDB and PostgreSQL do have authentication but I'd rather not rely on their internal authentication configuration. It's much nicer only having a socket and being able to use POSIX permissions, ACLs, MAC, etc. as you can with any other files even if internal config is wrong.
1
1
4
One thing that really bothers me about a lot of those services is they like having an insecure-by-default configuration. MySQL/MariaDB has the authentication configuration INSIDE THE DATABASE. You need to have the database running / working in order to connect and configure it...
1
2
5
Show replies