Is it recommended to drop all traffic by default in iptables and then accept only what is required?

I was told using iptables -P OUTPUT DROP and then rules such as iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT to accept what is required didn’t do much from a security standpoint. Is that true?

This is what I am been using for some time (planning on implementing some SSH brute force rules shortly):

apt update apt install -y iptables-persistent iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP iptables-save > /etc/iptables/rules.v4 

Undecidability of the language of PDAs that accept some ww

I’m trying to solve problem 5.33 from Sipser’s Introduction to the Theory of Computation,

"Consider the problem of determining whether a PDA accepts some string of the form $ \{ww|w\in \{0,1\}^∗\}$ . Use the computation history method to show that this problem is undecidable."

I have an attempt at a solution but somehow I just feel kind of foggy on whether it’s correct and would appreciate anyone finding flaws in the solution.


For reference, I’m trying to mimic or adapt the solution given earlier in the chapter to

$ $ ALL_{CFG}=\{\langle G\rangle | G \text{ is a CFG and } L(G)=\Sigma^*\}$ $

Theorem: $ ALL_{CFG}$ is undecidable.

The proof given there reduces from $ A_{TM}$ the decision problem of checking whether a TM called $ M$ accepts a string called $ w$ . It does so by, for any fixed $ M,w$ , constructing a CFG $ G$ which produces all possible strings if and only if $ M$ accepts $ w$ . In particular $ G$ is the CFG which generates all the strings that are NOT accepting histories for $ M$ on $ w$ .

It then proceeds to show how to build such a $ G$ . For the purposes of the problem I’m asking about, I can just accept that this is possible.


Also for reference, there is this answer to a similar question on here: https://cs.stackexchange.com/q/6629

I particularly want to follow the textbook’s guidance in order to practice this method of using a computation history, so I’m ignoring the first answer to the problem. However, I don’t understand the answer given for computation histories. The CFG that he gives (or equivalent PDA) doesn’t seem to generate strings with at least one $ v!v$ if and only if $ M$ accepts $ w$ . Supposing $ M$ accepts $ w$ I don’t see a reason why $ C_0\#…\#m(C_{2n})\#C_f = C_1’\#…\#m(C_n’)$ .


My solution is, like in the book’s solution for $ ALL_{CFG}$ , to try to use $ M$ and $ w$ to build a CFG such that $ M$ accepts $ w$ if and only if $ G$ generates some string of the form $ vv$ . In particular $ G$ is the grammar defined by the PDA $ D$ which on input $ x$ checks the first half to see if it’s an accepting history of $ M$ for $ w$ , and then checks the second half to see if it equals the first half. I believe each of these are things any PDA can do, and once built, $ G$ will have the properties promised earlier. Am I making any mistake here?

How to prove the language of all Turing Machines that accept an undecidable language is undecidable?

I want to prove that $ L=\{\langle M \rangle |L(M)\text{ is undecidable}\}$ is undecidable

I am not sure about this. This is my try :

Suppose L is decidable. Let $ E$ be the decider from $ L$ . Let $ A$ be a TM which is recognizing $ A_{TM}$ . Let $ S$ be a TM which works on input $ \langle M,w \rangle$ in the following way:

  1. Construct a TM $ N$ which works on Input $ x$ as follows: Run $ M$ on $ w$ . If $ M$ $ accepts$ run $ A$ on $ x$ and accept $ x$ if $ A$ accepts.(In this case is $ L(N)=A_{TM}$ ). If $ M$ $ rejects$ $ w$ , $ accept$ $ x$ .(In this case is $ L(N)=\Sigma^*$ )
  2. Run $ E$ on $ N$ and accept if N accepts. Otherwise reject

I am not sure if my reduction is the right way or not. Maybe someone can help to finish the reduction 🙂

Doest sorting accept a dynamic programming solution?

Are there any known / efficient dynamic programming solutions to sorting?

I understand of course that dynamic programming applies to scenarios where we have overlapping subproblems and optimal substructure, but I wonder if there are transformations and representations of the sorting problem where these conditions are met, and even better, where doing so may actually be useful.

Changing the default forward policy to accept (VPN/NAT)

I came across something that seems counter-intuitive while reading a tutorial associated with a very popular hosting provider showing people how to install their own Debian-based OpenVPN server. Specifically the default forward policy is changed from “DROP” to “ACCEPT” in order to allow traffic to be routed correctly. There seem to be no additional rules anywhere that would in any way restrict routing beyond this default policy.

If I understand correctly this could allow someone to use the machine as a gateway into the VPN, potentially allowing unsolicited traffic through. The logic here is that without any rules preventing packet forwarding the OS will simply forward any traffic not destined for itself. For example someone could make a static route for the external IP assuming a network of 10.8.0.0/24. Normally NAT would act as a firewall but in this case I can only assume it would, at best, rewrite the IP of response packets.

This is the tutorial for reference: How To Set Up an OpenVPN Server on Debian 9

I just want to know are my concerns justified or is there something that I’m missing?

Paladin was charmed and convinced the rest of the party to accept a quest from an evil character,

So it’s my first time DMing, and I’m running a group of 7 first time players through Lost Mines of Phandelver (Sort of scaled it so it’s still difficult). I’ve gotten them to the point where they run into the Redbrand leader, the mage Glasstaff. He attempted to talk to them but our fighter shot him in the foot, so he teleported behind them and while they fought the nothic he snuck up and charmed our Paladin, the verbal part of the spell was a plea that he was just trying to defend himself and that he only wants to talk. So, while charmed, the Paladin used his turn to convince the rest of the party with a sort of persuasion check that maybe Glasstaff was right, they had been the instigators in every situation with the Redbrands so maybe they were in the wrong. After all, the only information they were going on was from Sildar Hallwinter, and they were always suspicious of him. They should at least hear Glasstaff out.

So after they’ve all stopped fighting, they heal and start talking to Glasstaff. I had been roleplaying him pretty smarmy, calling them guests and acting like he’s really happy they’re here. He said it’s unfortunate that all of his men were killed, but they only did it because they had been deceived by Gundren Rockseeker and the leaders of Phandalin. He lied and said they had been ambushing caravans along the road meant for Neverwinter, where the whole party is from, and they were low class bandits disguised as a quaint town. The Wave Echo Cave thing was just a ploy to get more greedy adventurers to come to the area so they could rob them. All lies, but the party believed him.

I just wanted to give you some background to why they would accept this quest: Glasstaff wants them to purge the town of corruption by assassinating the leaders of Phandalin, namely the townmaster Harbin Wester (who was rude to them) and Toblen Stonehill (who refused to give them a room because of how many there were), and they’ll get three times the amount Gundren was promising to pay. They took a long rest and Glasstaff made them eggs for breakfast (he’s very cunning, they love eggs), so the Paladin is no longer charmed.

So my question is: how do I help the paladin properly roleplay this, and if he goes through with it what does that mean for his Oath? He took the Oath of the Ancients, if that means anything. He isn’t very charismatic, so the morally grey party may not be too quick to accept his second change of mind even with persuasion, he got seriously lucky on the first throw. I’m getting more comfortable with doing things on the fly so I don’t care about railroading, like getting them back to finding out who the Spider is.

Why no DPDA can accept Palindrome? (according to this proof)

This proof is from the book “Introduction to Languages and the Theory of Computation” by John C. Martin.

My question is from the pink part at the second page:

It follows in particular that no sequence of moves can cause M to empty its stack.

and further, it talks about $ y_x$ that is my second question. I can’t understand what $ y_x$ is.

I’ll appreciate it if someone please describe me the whole proof.

First page of the proof Second page of the proof

How to accept only user identity keys of type ed25519 on OpenSSH Linux server?

I want to force all users to use only ed25519 type keys when logging in via SSH / SFTP to a Linux server which is running a recent version* of OpenSSH.

The reasons include:

In many cases, SSH keys have been completely overlooked in identity and access management planning, implementation, and audits. Users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors.

Information security starts from controlling who is given access to systems and data. If there is no control over access, there is no security, no confidentiality, no integrity, and no guarantees of continued operation

Source: https://www.ssh.com/iam/ssh-key-management/

However, I do not wish to remove the ability for a user to manage their own SSH keys (including adding, removing, changing the keys). My only objective is to mandate that the key used is of type ed25519.

How can this be accomplished while maintaining the above user privileges and while maintaining this setting?

AuthorizedKeysFile  .ssh/authorized_keys 

The main (non-default) sshd_config settings I’m using on this server include:

The only host key enabled: HostKey /etc/ssh/ssh_host_ed25519_key  PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes AuthorizedKeysFile  .ssh/authorized_keys KexAlgorithms curve25519-sha256@libssh.org MACs hmac-sha2-512-etm@openssh.com Ciphers chacha20-poly1305@openssh.com AllowUsers user@host ... 

However, with those settings a user can still select an older user identity key type and use it to log in. My only objective now is to stop a user from getting access except via an ed25519 user identity key. How?

*Actually running: OpenSSH_8.1p1, OpenSSL 1.1.1d