Re: Why does Debian allow all incoming traffic by default
- Date: Wed, 26 Sep 2018 14:42:20 +0100
- From: Jonathan Dowland <jmtd@xxxxxxxxxx>
- Subject: Re: Why does Debian allow all incoming traffic by default
On Mon, Sep 24, 2018 at 03:27:51PM -0400, Henning Follmann wrote:
And there are also reasons not to install by default one. And this is
what the OP was about. The default is to not install listening
services a thus no need for a firewall.
You must have misread or misunderstood my message, because the point I
was making was that the point of a firewall was not just to protect you
from the things you *know* are listening, but the scenarios I outline
where you have things happening you *don't* know about.
Any default firewall would then force maintainers of packages to test
for the default firewall and if present inject a default rule to make
the service available. Otherwise you will have endless rants about
"why is my ssh not working.." etc.
Yes, we'd need an inter-package scheme for opening service ports when
packages were installed (or services enabled, a subtle distinction). I
outline a high-level approach to that in my last email to this thread (a
reply to Joe).
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.