Saw a reddit thread on the topic, curious what the HN crowd thinks. I find that too restrictive but I'm not working with secret repositories or production secrets on my machine.
Yep, everything that isn't used is closed, only 80 and 443 are the services you'd expect, port 22 is an endlessh tarpit, and the real ssh port is open on a very high unassigned port to make it less likely to be found unless completely port-scanned. This may be overkill, but it was fun to set up.
All other outbound TCP connections are logged and then get a tcp-reset. Outbound UDP is logged and just silently dropped. DNS is restricted to my router and all queries are logged. I have some port exceptions for specific destinations.
The advantage is that no other accounts including root can get chatty without my knowledge. i.e. telemetry of an OS gets added without my knowledge at least not leaking out of service accounts or root. I can also log when such things are added and notify the internet.
My account can still talk out so I have to firejail the browser and limit what directories, files and devices it can access. Those violations are also logged and I can tell the internet if the browser has been compromised. I can also log what applications are talking from my account beyond that of the browser. It is also easier to spot when something is talking and I did not request it to. watch+ss, iftop, etc... There are tools that get more granular such as OpenSnitch but I don't bother unless I start to see shenanigans. Firejail also removes network access for most applications that need not talk to the network and addresses most things that malware would try to access should it be able to run in the browser.
To stay off the janky sites I just mirror them with archive.org and archive.is so that others may take advantage of the de-fanged javascript snapshot.
All of that said this is not bullet-proof or idiot-proof but it's the maximum risk I accept for my browsing habits. I can always ratchet things down such as changing options in arkenfox custom user.js to further restrict browser capabilities. For now it's sufficient for my needs.
80, 443, (2082, 2083, 2086, 2087 - with a special port knock sequence, get that wrong failban adds your ip for a while (24hrs). passing the little knock test opens the real ssh port, for your ip only for a "Fixed" period of time.)
6 comments
[ 4.9 ms ] story [ 26.7 ms ] threadI'm keeping mine closed.
My account can still talk out so I have to firejail the browser and limit what directories, files and devices it can access. Those violations are also logged and I can tell the internet if the browser has been compromised. I can also log what applications are talking from my account beyond that of the browser. It is also easier to spot when something is talking and I did not request it to. watch+ss, iftop, etc... There are tools that get more granular such as OpenSnitch but I don't bother unless I start to see shenanigans. Firejail also removes network access for most applications that need not talk to the network and addresses most things that malware would try to access should it be able to run in the browser.
To stay off the janky sites I just mirror them with archive.org and archive.is so that others may take advantage of the de-fanged javascript snapshot.
All of that said this is not bullet-proof or idiot-proof but it's the maximum risk I accept for my browsing habits. I can always ratchet things down such as changing options in arkenfox custom user.js to further restrict browser capabilities. For now it's sufficient for my needs.