Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-security > 07 > 080177.html (Request Expert lists.debian.org Support)

Re: secure installation

From: Jack T Mudge III <jakykong(at)theanythingbox.com>
Date: Mon Aug 20 2007 - 15:40:58 EDT


On Monday 20 August 2007 10:47, alex black wrote:
> > thus defeat the purpose). A default firewall simply can't work,
> > even if we
> > had some way to implement it perfectly for all packages (without
> > breaking
> > any, which we undoubtedly would).
>
> It all depends on context - I agree that a default firewall for
> "debian" is stupid, but if you look at the way an OpenBSD box looks
> when the default install is done, that is my ideal. I happen to
> prefer the way thing generally are done in debian, but on the initial
> install, OpenBSD whips any other OS I've seen. It has pf on by
> default and only allows SSH connections. Ideal.
>
> Would that be a good idea for a workstation? No - nightmare. Is it a
> good idea for a server? Yes absolutely. Servers, unless they are
> packaged appliance distros or subdistros, should always have the bare
> minimum of services and allow SSH only by default.
>
> $.000002
>
> _a
>
>
> --
> alex black, founder
> the turing studio, inc.

I apologize if what I meant was clear. I declined to include the word 'debian' here, because the context is clear from previous posts in the thread.

Excellent point, though. Workstations don't need a firewall. Servers probably do. I don't disagree (I wholly agree, actually). However, the typical server is set up by someone who knows what they're doing (not someone who would need help setting up a firewall), and has specific requirements.

My intention wasn't to say a default firewall can never work, but that it can't work for debian, given the community/ideology and existing user-base surrounding it. 

-- 
Sincerely,
Jack
jakykong@theanythingbox.com

My GPG Public Key can be found at:
https://www.theanythingbox.com/pgp.htm (top link is current)
I appreciate signatures, but if you only know me online,
please use the --lsign-key, not the --sign-key.
I appreciate trust -- but too much makes it less valuable.

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  • application/pgp-signature attachment: stored
Received on Mon Aug 20 15:39:54 2007

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 07:52:51 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library