[vegardx]

I don't really think they get better connectivity. If you can establish a connection from the inside things works as intended for basically everything. Peer-to-peer is a little different.

Personally I find it a little scary that we allow applications to just open up inbound ports as they see fit. Would you, say, install MySQL locally and have it listen on such an address because it's so unlikely that anyone will ever find it anyway?

[ay]

If you install MySQL locally, you should not have it listen on any address other than the loopback by default.

And when you do expose it, if you care about security, you should configure the appropriate iptables along the way there and then, rather than relying on a magic box somewhere upstream filtering the packets.

This can be doubly useful if the box in question your laptop which you carry around in various, potentially hostile, environments.

[vegardx]

I was just using MySQL as a hypothetical example, as they listen on all interfaces by default with packages supplied by Oracle. Next time you're on a tech conference, do a scan on the local network.

My point was that by his standard he would just let it listen on all interfaces because in his own word, nobody would find it. Which sounds very naive.

[ay]

Okay then I think we were in violent agreement.

I was arguing the whole "listen on all interfaces by default" is wrong - if one needs to expose the app, they should do so explicitly, and you did the same.