Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Mon, Sep 24, 2018 at 08:21:55PM +0100, Joe wrote:
And there you have the problem: it would be necessary for the
installation of certain packages (e.g. MTA) to automatically poke holes
in the firewall.

We agree this far.

For this to be practical, a completely standardised
iptables architecture would be necessary, with limited user
customisation. That's how Windows does it.

This is where we disagree. What would be needed would be a standard
interface for a package to say "open this port", that was implemented by
the iptables (say) package by default, but, if you were writing a very
DIY ruleset, you could override the iptables-package's implementation
and provide one yourself (or ignore the package hooks if you wished).

Fine for Brian, and others who use no firewall at the moment, not so
good for anyone with an existing hand-made set of iptables rules. My
netbook, for example, has three sets of rules which are selected
according to the environment and whether a VPN is in use. My server has
a set of rules appropriate to a network firewall plus VPN server, with
suitable named chains and 'subroutine' structure. All of this would be
swept away by a standard firewall structure, and would need to be
rebuilt in conformance with the standard. Such a standard would have to
encompass all possible use-cases, including multiple NICs and multiple
VPN arrangements. Any volunteers?

The approach I outline above would mean you would have the choice of
reworking your configuration to work in harmony with the new
arrangement, or override and ignore it, and continue as you are.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.