Re: Why does Debian allow all incoming traffic by default
- Date: Fri, 21 Sep 2018 14:47:03 -0500
- From: David Wright <deblis@xxxxxxxxxxxxxxxxx>
- Subject: Re: Why does Debian allow all incoming traffic by default
On Fri 21 Sep 2018 at 22:59:57 (+0530), Subhadip Ghosh wrote:
> Hi Dan,
> > The basic reason is this: it makes sense.
> > Let's suppose Debian installs a basic firewall by default. How
> > basic? Let's say:
> > - outbound: permit
> > - forward: deny
> > - inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
> > response to an outbound packet
> > Now, what should happen when a user installs an SSH daemon?
> > Should it automatically change the firewall? Of course,
> > otherwise everyone who installs SSH would discover that it
> > doesn't work.
> > How many packages now have to have scripts written to update the
> > firewall?
> > What happens when a user installs a multi-protocol daemon like
> > Dovecot? Does it automatically open POP, POP/S, IMAP and IMAP/S?
> > All of them? None of them?
> > There are an infinite number of questions to be asked, all of
> > which can be summarized as "please read the user's mind and find
> > out what they want". This is particularly difficult when the
> > user doesn't know what they want.
> > Remember, Debian isn't a laptop OS. Debian isn't a desktop OS.
> > Debian isn't a phone OS. Debian isn't a server OS. Debian isn't
> > a supercomputing OS. Debian isn't an embedded device OS.
> > Debian is a Universal OS.
> I wouldn't say whatever you said, doesn't make sense. I wish there
> were an easier way to know about it when I started using the OS,
> something to warn me that I need to configure the firewall to suit my
> needs. Maybe because I came from a different OS where the defaults
> were stricter, my expectations about the defaults were different.
The naive user is not going to know what to make of this warning,
so it will be as useless as Proposition 65. If/when they learn what
a firewall is, they should probably turn their attention firstly to
their router and modem combination and their ISP (particularly if it
"owns" the said devices).
OTOH default packet filtering on Debian machines could lead to an
explosion of support queries. That probably suits commercial providers
as they can then charge for their responses. Here, it just increases
the list traffic.
But if you're serious, the normal way is to write a suitable paragraph
and submit it as a wishlist bug against the debian-installer. Then it
might be discussed by people more expert than me.