Re: Why not have firewall rules by default?

--On January 23, 2008 9:19:01 AM -0600 William Twomey <william.twomey@gmail.com> wrote:

> It's my understanding (and experience) that a Debian system by default is
> vulnerable to SYN flooding (at least when running services) and other
> such mischeif. I was curious as to why tcp_syncookies (and similar
> things) are not enabled by default.

There was atleast at some point I believe evidence that some platforms/firewalls didn't play well with SYN cookies. I could be wrong.

> Many distros (RPM-based mostly from my experience) ask you during the
> install if you'd like to enable firewall protection. I was curious if
> debian was every going to have this as an option?

There are so many different choices of firewall management packages. Shorewall is one I use, there are many others. Some of which don't play well with extra things that some users may use like wondershaper. Debian is still one of those distros that believes a little more in choice than just pushing things down the users throat.

>
> One solution could be to have a folder called /etc/security/iptables that
> contains files that get passed to iptables at startup (in the same way
> /etc/rc2.d gets read in numeric order). So you could have files like
> 22ssh, 23ftp, etc. with iptable rules in each file. You could also have
> an 'ENABLED' variable like some files in /etc/default have (so that ports
> wouldn't be opened by default; the user would have to manually enable
> them for the port to be opened).
> Then they'd just run /etc/init.d/iptables restart and the port would be
> opened (flush the rules, reapply).

It's better to leave the service disabled, or even better, completely uninstalled from a security standpoint, and from a DoS standpoint as well. The Linux kernel isn't very efficient at processing firewall rules. Newer kernels might be though (I honestly haven't looked as deeply into this in late 2.6 as i did/do in 2.4...2.4 processes firewall rules strictly step by step)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

>
> Even a central iptables-save format file that gets passed to iptables at
> startup would be nice. It's easy enough to do manually, but would be nice
> to see integrated with debian itself (packages managing their own rules,
> etc.).

This much does exist. invoke-rc.d iptables save --- i'm not sure what package the /etc/init.d/iptables script is in, seems to me like it was part of the same package that provided the binaries.

> Is debian every going to introduce a better way of having iptables rules
> be run at startup and easily saved/managed, or will this always be a
> manual process?

Probably not, as, in the distro, there's at least one good firewall management utility, and probably more than one. No need to reinvent the wheel.

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org