Re: Why not have firewall rules by default?

William Twomey wrote:
>
>> Debian haven't any open services by default, except portmapper and
>> behind portmapper aren't any services. So no need for host firewall.
> But isn't it reasonable to assume that most people will be installing
> services? Even a desktop user is likely to enable SSH and maybe even
> apache for convenience. And I'm not asking for this to be mandatory;
> just an option during the initial install.
>>
>> If all services are allowed from host to anywhere firewall cannot do
>> nothing in case when host it compromised and is very difficult made
>> default rules for that. If user install example apache we need
>> mechanism which automatically allow connection/s from outside to
>> service/s. What is different? Host without firewall and port 80 open
>> or host with firewall and rule which open port 80?
> It's less likely for the host to be compromised if it's behind a good
> firewall, don't you think?

Yes of course, but i think at perimeter firewall is for that expect you really need tight server installation.

> For example, if only port 22 is allowed (after they install SSH) and
> they foolishly run a malicious program/script as root that creates a
> backdoor at some random portOr even restrict some outgoing ports
> (common rootkits, anything over port 1024 perhaps?)
>

If you restrict all over port 1024 you cannot use your computer :)

myhost:34873          otherhost:ssh         ESTABLISHED
otherhost:22            myhost:34873         ESTABLISHED

This is reason why use statefull inspection at perimeter firewall. It's open high port/s related a allowed established connection and keep other high port closed if you compare to old router's access list, only ports < 1024 can filtered. Iptables have statefull capabilties.

http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf

If you have rootkit with root permissions it can disable your firewall or connect with normal client software to anywhere. So in host firewall you must restrict outside and inside port/s and this is nightmare maintain at normal user desktop. Compare Windows Antivirus/Firewall softwares and why it ask "This program tries connect to internet, allow or deny". Yes many of Windows firewalls are packet filters ie. all high ports open

Normally this kind systems are used only servers when needed really tight security.

> A few prompts during the installation would be able to make a suitable
> firewall script for most users (and other users would choose not to
> use it).

If this is needed/wanted to Debian, no problems, but remember obscure isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy made and maintain firewall/s at Linux and all of these are regular Debian packages. That is true at there should be more information about firewall possibilities example at
http://www.debian.org/doc/manuals/securing-debian-howto/

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

I like Debian because it don't tried install for me selinux, firewalls and all bells and whistles. This isn't sometimes remember at some distributions :) I can choose myself which is suitable for me.

Regards, Riku
>>
>>
>
>

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org