Whilst discussing an issue with the reject-www-data firewall rule on Github, I was wondering if this rule is useful.
There are strong arguments both for and against its usage. I’m wondering now if it should be installed by default on new installations.
The original intention was to prevent the webserver from being able to execute code that downloads malicious software on the the machine, for further compromise. Imagine a plugin in your CMS which allows such things to happen – this rule would block that straightforward case, forcing the attacker to work out a privilege escalation exploit instead, which is substantially harder.
However this naive rule also blocks plugin installations, automatic updates, sites fetching RSS news feeds etc.
What do you think?