Conversation

is your firewall blocking all ipv6? are you sure?

108

Replying to

should it be? 🧐

Replying to

and

No, but some people are using the network layer as access control and don't understand IPv6 so they block it instead. 🤬🤦

Replying to

and

There's some legitimate for host-based firewalls such as avoiding accidental exposed services, determining which applications/services can use the network and access control for services only able to listen on loopback instead of a Unix domain socket.

github.com

infrastructure/nftables-matrix.conf at main · GrapheneOS/infrastructure

Shared server infrastructure. Contribute to GrapheneOS/infrastructure development by creating an account on GitHub.

Replying to

and

I even consider use of no-auth loopback as unacceptable "network layer as access control". It breaks all privilege separation on the host.

Replying to

and

We consider it unacceptable which is why we disable listening on loopback for as many services as possible (MariaDB, PostgreSQL) and implement uid-based access control for stuff not supporting that via nftables as a workaround for software deficiencies.

Replying to

MariaDB and PostgreSQL do have authentication but I'd rather not rely on their internal authentication configuration. It's much nicer only having a socket and being able to use POSIX permissions, ACLs, MAC, etc. as you can with any other files even if internal config is wrong.

Replying to

One thing that really bothers me about a lot of those services is they like having an insecure-by-default configuration. MySQL/MariaDB has the authentication configuration INSIDE THE DATABASE. You need to have the database running / working in order to connect and configure it...

Replying to

Also, MySQL/MariaDB listens on 0.0.0.0 by default. A lot of LAMP-type software tends to also do that and whoever connects to the website first gets to configure the password, etc. It's pretty horrible. If somehow the configuration was wiped it just lets anyone compromise it.

4:29 AM · Jul 31, 2022Twitter Web App

Replying to

The existence of this script which you're supposed to run immediately after installing and starting MySQL/MariaDB is sad: mariadb.com/kb/en/mysql_se To be fair, MariaDB at least has fixed this and it's no longer entirely insecure by default, just partially insecure by default.

mariadb.com

mysql_secure_installation

Improve the security of a MariaDB installation.

Replying to

New default is that it's exposed to the entire internet but there isn't a no password administration account, only a test database with unauthenticated usage permitted. It's massive attack surface but at least whole internet doesn't get db admin by default anymore... progress?

Show replies