Security can be anything. Currently issues are spread over the forum ?
				
			For starters, it's IETF - Internet Engineering Task Force.You're asking that the IEFT "add" or "insert" an additional layer to the OSI layer.
You're on point. That is a good practice. If you are already doing so, please keep it up.Offcourse you could keep the current spread, but tag it with "security" so there is an alternative way of searching.
Security is with a fancy word "transversal", just like "quality".
But most importantly, it begins at ground level.Security is applicable at every level.
I saw somebody had connected to TCP port 6000 on my Win98 box using X-windows and pulled the modem cord from the wall beside me. I never forgot that... It's the hard lessons I remember best.For example, X.org is quite insecure (plenty of tutorials on the Internet about how to attack port 6000, the default IP port for XDM the login screen to listen on).
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udpsockstat -46 | grep -v 127.0.0.1 | grep -v ::1jitte@bakemono:~ $ sockstat -46 | grep -v 127.0.0.1 | grep -v ::1
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
jitte    firefox    53240 112 tcp4  192.168.1.24:49053    44.241.185.165:443
jitte    firefox    44150 36 tcp4   192.168.1.24:65357    34.107.221.82:80
jitte    firefox    44150 41 tcp4   192.168.1.24:34581    54.192.121.30:443
jitte    firefox    44150 62 tcp4   192.168.1.24:64256    34.107.221.82:80
jitte    firefox    43244 112 tcp4  192.168.1.24:49053    44.241.185.165:443
avahi    avahi-daem 83474 14 udp4   *:5353                *:*
avahi    avahi-daem 83474 15 udp6   *:5353                *:*
avahi    avahi-daem 83474 16 udp4   *:29159               *:*
avahi    avahi-daem 83474 17 udp6   *:27469               *:*
ntpd     ntpd       71059 20 udp6   *:123                 *:*
ntpd     ntpd       71059 21 udp4   *:123                 *:*
ntpd     ntpd       71059 22 udp4   192.168.1.24:123      *:*
jitte@bakemono:~ $
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Default deny everything
block log all
### Pass loopback
set skip on lo0
### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
### Block all IPv6
block in quick inet6 all
block out quick inet6 all
### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp
### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate stateroot@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.24 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state
STATES:
all tcp 192.168.1.24:49053 -> 44.241.185.165:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:14650 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.24:15428 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
INFO:
Status: Enabled for 25 days 02:12:52          Debug: Urgent
State Table                          Total             Rate
  current entries                        3              
  searches                        31827026           14.7/s
  inserts                            70758            0.0/s
  removals                           70755            0.0/s
Counters
  match                             156186            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s
LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000
OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #
{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }block drop in quick on em0 inet from any to 255.255.255.255There's AirPrint, Bonjour, and IPP (Port 9100) - Avahi is mDNSresponder. And, Avahi is not layer 2, it's Layer 4.Avahi is normally a layer 2 protocol. It will pass a hub but not a router. Totally unroutable over the internet.
I have no avahi proces running, yet my IP-Printer was auto-detected. Weird.
Compared to VNC vulns, it is actually quite secure these days. Possibly due to its age and also some of the less tested, fragmented VNC implementations written by smaller projects rather than a central authority. Amusingly, I believe Gnome's Vino has had more security issues found in 2019 than Xorg has for the last 10 years.For example, X.org is quite insecure (plenty of tutorials on the Internet about how to attack port 6000, the default IP port for XDM the login screen to listen on).

1. If there's an actual security problem, there's specific security channels that don't have chitchat on them to get people the information they need without potentially uninformed commentary.Security can be anything. Currently issues are spread over the forum ?
Heh.To riff off Sevendogsbsd a bit, with security, if you think you know it all, you just missed the hacking of your system.
Hmm, not sure I follow. XDM, KDM, GDM all listen on port 177. This is for Xdmcp requests. Luckily it is disabled by default on all of them. (It is not controlled by xorg.conf but xdm-config, kdmrc and gdm.conf respectively)For example, XDM listens on port 6000. You can edit Xorg.conf to tell XDM to listen on port 6001 or to not listen on any port whatsoever, or to not use XDM (and use GDM, for example) at all.
