Re: Why not have firewall rules by default?

Rolf Kutz wrote:
> On 23/01/08 08:29 -0700, Michael Loftis wrote:
>>
>> It's better to leave the service disabled, or even better, completely
>> uninstalled from a security standpoint, and from a DoS standpoint as
>> well. The Linux kernel isn't very efficient at processing firewall
>> rules. Newer
>
> I thought it was very efficient in doing so. YMMV.
>
>>
>> This much does exist. invoke-rc.d iptables save --- i'm not sure
>> what package the /etc/init.d/iptables script is in, seems to me like
>> it was part of the same package that provided the binaries.
>
> Didn't that get removed?
>
> regards, Rolf

Yes them were removed. I think at this is most right style today. http://ace-host.stuart.id.au/russell/files/debian/sarge/iptables/

Cannot find original and seems at this info is removed from ..doc/iptables.

Debian haven't any open services by default, except portmapper and behind portmapper aren't any services. So no need for host firewall.

If all services are allowed from host to anywhere firewall cannot do nothing in case when host it compromised and is very difficult made default rules for that. If user install example apache we need mechanism which automatically allow connection/s from outside to service/s. What is different? Host without firewall and port 80 open or host with firewall and rule which open port 80?

Regards, Riku

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org