I'm SO mad about computers sending ICMP Unreachable messages about closed UDP ports.
DON'T JUST GIVE AWAY WHAT PORTS YOU ARE USING
StackOverflow posts like "How do I turn this off" with answers like "Stop wanting to turn it off" EAT 100% OF MY ENTIRE ASS
I just want to run a service that can't be tagged on Shodan without having CAP_NET_RAW T_T
Please
@jennamagius maybe add a firewall rule blocking outbound ICMP Unreachable?
@queerhackerwitch That's what the StackOverflow advice is, and that's pretty much the best answer. It doesn't really make it possible to run a hidden service without privileges though, 'cause you need privileges to make the firewall rule.
@queerhackerwitch The reason I want to operate without privileges is not because I can't get them; I'm developing some security-paranoid software, and rule 1 of security paranoia is "try not to have privileges. The more privileges you have, the worse it is when you get pwned."
@jennamagius In this case though it’s not the software that needs privileges, it’s the admin during setup
@queerhackerwitch That's true, but I'm disappointed to have written a program that can do 99.9% of it's work with user privs, but isn't directly usable when you only have user privs.
@jennamagius That’s because those privileges have to keep the security of the rest of the system in mind. Those privileges aren’t normally available to users because they can be abused. This is why many services usually start as root and then drop their privileges after they’ve used them to set up what they need.
@queerhackerwitch I assure you I understand this, I'm not... new to computing. My argument is that "services should be visible to any unauthenticated anyone who looks for them, from anywhere" is an unreasonable default.
@queerhackerwitch Sure, I certainly understand that hidden services are more difficult to use than visible services, but I think running visible services should be an option for environments with enfranchised users and high security needs. I think the "visible services are more ergonomic" has translated excessively into "hidden services should not be possible" with respect to how our kernel infrastructure has developed.
@queerhackerwitch s/running visible services should be an option/running hidden services should be an option/
@queerhackerwitch It kinda seems to me like "We've got some great infrastructure in place for running discoverable, ergonomic services. It's called TCP. It runs great services you know and love, like HTTPS. People connect to HTTPS services on servers they don't know much about all the time." I don't feel like UDP needs to _be_ the same thing TCP is.
@jennamagius Sorry, I’m not making an assumption that you don’t understand, I’m just trying to get across another perspective on why others would consider this desired behavior. I spend most of my time working with network security so I’m forced to see both sides of the coin.