Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Mon, Sep 24, 2018 at 03:27:51PM -0400, Henning Follmann wrote:
And there are also reasons not to install by default one. And this is
what the OP was about. The default is to not install listening
services a thus no need for a firewall.

You must have misread or misunderstood my message, because the point I
was making was that the point of a firewall was not just to protect you
from the things you *know* are listening, but the scenarios I outline
where you have things happening you *don't* know about.

Any  default firewall would then force maintainers of packages to test
for the default firewall and if present inject a default rule to make
the service available. Otherwise you will have endless rants about
"why is my ssh not working.." etc.

Yes, we'd need an inter-package scheme for opening service ports when
packages were installed (or services enabled, a subtle distinction). I
outline a high-level approach to that in my last email to this thread (a
reply to Joe).

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.