<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div> <div id="bloop_sign_1486241058526232064" class="bloop_sign">On February 4, 2017 at 13:08:58, Vince Herried (<a href="mailto:vherried@gmail.com">vherried@gmail.com</a>) wrote:</div><div><blockquote type="cite" class="clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span><div><div></div><div><div dir="ltr">Is this a mistake opening up all the ports on all my LAN?</div></div></div></span></blockquote></div><p>That sort of depends. There's obviously a valid school of thought that says to lock down your network, including the LAN, and only allow that traffic which is necessary. I think that probably for the most part makes the most sense in a datacenter, or other commercial space like if you're running a "public" wifi network.</p><p>In a datacenter, you want to isolate different functions (HR, customer-facing EC site), different tiers (web, database), and different applications from each other. It significantly reduces the risk of a compromise in one area spreading easily to another.</p><p>At home, put a solid firewall like pfSense on the edge and you should be fine. There are a few who might say that I'm completely naive or that I just hate Microsoft because they're so awesome, or that I'm stupid -- but if you're running a bunch of Windows systems in your house, I might lean more toward the possibility of a LAN firewall. With macOS and Linux systems, I'm not as worried about it. They are not perfect, but are inherently more secure by design than Windows.</p><p>When I run Windows VMs on my Macs, I turn off as much of the shared desktop crap in VMWare/Parallels as I can get away with - including all the file sharing. I don't trust Windows enough to allow it access to my host files. I also don't leave Windows VMs running.</p><p>To get back to your question: if people on my LAN are running Windows systems, I'm going to think much harder about ensuring that the other systems on my network have firewalls enabled. Sometimes I'm playing around with mysql or redis, or am developing a webapp that I haven't secured yet, or running other things that listen for traffic on the LAN. There's just too much drive-by garbage that can happen on a Windows system without the user even knowing that makes me wary of risking it.</p><p>Sidenote: I've also used host-based firewall rules to stop stuff like Rubymine from broadcasting onto the LAN that it's running. If I happen to have RM open on another host, it complains that I'm breaking the license and must shut the application down.</p><p><br></p></body></html>