Re: Why does Debian allow all incoming traffic by default
- Date: Fri, 21 Sep 2018 13:09:35 -0400
- From: Dan Ritter <dsr@xxxxxxxxxxxxxxxx>
- Subject: Re: Why does Debian allow all incoming traffic by default
On Fri, Sep 21, 2018 at 09:02:26AM +0530, Subhadip Ghosh wrote:
> Hi Roberto,
> On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote:
> > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote:
> > > Hi,
> > >
> > > I am using Debian and the recently I learned that a standard Debian
> > > installation allows all 3 types of traffics especially incoming by default.
> > What do you mean by "all 3 types of traffics"?
> Incoming, Outgoing and Forward
> > > I know I can easily use iptables to tighten the rules but I wanted to know
> > > the reasons behind the choice of this default behaviour and if it makes the
> > > system more vulnerable?
> > The behavior you observe is likely because that is the best default that is
> > universally applicable.
> But does it make the system more vulnerable in any way to attacks over the
> network? And how will a new Debian user would know of this behaviour? I
> don't even see it mentioned on the Stretch Installation manual anywhere.
> > > I tried searching on the Internet but did not get
> > > any satisfactory explanation. It will be helpful if anybody knows the
> > > answers to my questions or can redirect me to a helpful document.
> > >
> > Where did you search or what terms did you use?
> Search engines (Google and Duckduckgo). Search terms were similar to the
> email subject line. I also read the wiki on Debian Firewall where it says
> about the choice of defaults but not the reasons.
The basic reason is this: it makes sense.
Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:
- outbound: permit
- forward: deny
- inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
response to an outbound packet
Now, what should happen when a user installs an SSH daemon?
Should it automatically change the firewall? Of course,
otherwise everyone who installs SSH would discover that it
How many packages now have to have scripts written to update the
What happens when a user installs a multi-protocol daemon like
Dovecot? Does it automatically open POP, POP/S, IMAP and IMAP/S?
All of them? None of them?
There are an infinite number of questions to be asked, all of
which can be summarized as "please read the user's mind and find
out what they want". This is particularly difficult when the
user doesn't know what they want.
Remember, Debian isn't a laptop OS. Debian isn't a desktop OS.
Debian isn't a phone OS. Debian isn't a server OS. Debian isn't
a supercomputing OS. Debian isn't an embedded device OS.
Debian is a Universal OS.