Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default

On Mon, 24 Sep 2018 19:52:39 +0100
Jonathan Dowland <jmtd@xxxxxxxxxx> wrote:

> On Sat, Sep 22, 2018 at 05:12:38AM -0400, Gene Heskett wrote:
> >Because you can set an ntp corrected machine as a broadcaster,
> >therefore reducing the load on the tier 2 servers such as debian
> >maintains by using their pool.debian.org or the tier 1 servers at
> >pool.ntp.org. That way I have 7 machines here, all synchronized to
> >the first or 2nd tier of time servers on the planet. This machine is
> >a slave to my router, it broadcasts to the other 6 machines, so I
> >have all synched and well within a millisecond.  
> You certainly can, but is that really a use-case that a hypothetical
> default firewall should service? I don't think so. If you are setting
> such a thing up you should be expected to punch the requisite holes in
> the default firewall as part of that work.

And there you have the problem: it would be necessary for the
installation of certain packages (e.g. MTA) to automatically poke holes
in the firewall. For this to be practical, a completely standardised
iptables architecture would be necessary, with limited user
customisation. That's how Windows does it. 

Fine for Brian, and others who use no firewall at the moment, not so
good for anyone with an existing hand-made set of iptables rules. My
netbook, for example, has three sets of rules which are selected
according to the environment and whether a VPN is in use. My server has
a set of rules appropriate to a network firewall plus VPN server, with
suitable named chains and 'subroutine' structure. All of this would be
swept away by a standard firewall structure, and would need to be
rebuilt in conformance with the standard. Such a standard would have to
encompass all possible use-cases, including multiple NICs and multiple
VPN arrangements. Any volunteers?