Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default

On Wed, 26 Sep 2018 14:39:41 +0100
Jonathan Dowland <jmtd@xxxxxxxxxx> wrote:

> On Mon, Sep 24, 2018 at 08:21:55PM +0100, Joe wrote:
> >And there you have the problem: it would be necessary for the
> >installation of certain packages (e.g. MTA) to automatically poke
> >holes in the firewall.  
> We agree this far.
> > For this to be practical, a completely standardised
> >iptables architecture would be necessary, with limited user
> >customisation. That's how Windows does it.  
> This is where we disagree. What would be needed would be a standard
> interface for a package to say "open this port", that was implemented
> by the iptables (say) package by default, but, if you were writing a
> very DIY ruleset, you could override the iptables-package's
> implementation and provide one yourself (or ignore the package hooks
> if you wished).
You're only moving the problem around. Some completely standard piece of
code *somewhere* has to know what is the right place to insert such a
rule. I'll give you an example: neither the beginning nor the end of my
INPUT chain is the right place, because I do some catch-all stuff about
RELATED and INVALID at the beginning of the chain, and some assorted
logging at the end. I don't want anything placed before or after those
parts. In fact, the right place for my server firewall isn't in the
INPUT chain at all, but in one of a few custom chains.

There could be a standard custom chain in which such rules were
inserted so that they all arrived at a place to suit the user, but my
point is that enough such hooks must be defined and honoured to cover
all reasonable use cases. This is a significant project, one which
involves all IP-aware packages, and I don't think there is *yet*
sufficient need to justify the resources to do it right.