Hosting Provided By

Re: Why not have firewall rules by default?

From: Javier Fernández-Sanguino Peña <jfs(at)computer.org>
Date: Sun Jan 27 2008 - 15:58:37 EST

On Wed, Jan 23, 2008 at 01:15:18PM -0600, William Twomey wrote:
> I guess my point is if the 'iptables' package is installed by default on
> Debian, then better integration with Debian would probably be a good
> idea.

Iptables provides the tools, the init.d script was removed since it conflicted other firewall packages and it was decided (by the maintainer) that it was better to just provide the tools and let the users select which firewall-ruleset handling tool they wanted to use.

> Why is iptables installed by default and why is there no debian way to
> load/save/unload the iptables rules without making your own init script?
> Why was the init script removed from Debian (security? no maintainer?)

See
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services..en.html#s-firewall-setup:

" Remember this: just installing the iptables (or the older firewalling

code) does not give you any protection, just provides the software. In order to have a firewall you need to configure it! "

If you don't want to use any of the firewall tools available you can setup your own init.d script as outlined in the "Securing Debian Manual" (see section 5.14.3.2) or through ifupdown (see section 5.14.3.3)

The maintainer removed the script, for more information see #212692.

Do you need help?

Unfortunately the maintainer also decided (later on) to remove the README.Debian file which (kind of) explained what was expected of this package. Attached is an older version of this file. I've asked the maintainer (through the BTS) to restore it.

> The fact that a debian machine connected to the internet is vulnerable
> to attacks that have build-in protection on Linux/iptables is strange to
> me.

"Vulnerable to attacks" is a rather large statement. The default installation of Debian does only provide a limited number of services and few of them have had known vulnerabilities. People complain of portmap, but it has not had any reported vulnerabilities in ages.

The Debian approach is to limit as few services by default as possible, Ubuntu is even more extreme. None of them provide a firewall as it is not initially needed.

> It would be nice to be able to enable these settings so they stay
> after a reset via apt or the install.

You can do this at install time, just install any of the firewall tools. True, none is enabled but default, if you feel this is a bug nag the tasksel definitions to add, for example, the 'firestarter' package in the GNOME Desktop task or 'guarddog' for KDE. But I'm afraid that there is no "better" choice (specially for headless installations) see http://wiki.debian.org/Firewalls

Regards

Javier

Do you need more help?

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


text/plain attachment: README.Debian



application/pgp-signature attachment: Digital signature

Received on Sun Jan 27 15:59:45 2008

This message: [ Message body ]
Next message: Jonas Andradas: "Re: Why not have firewall rules by default?"
Previous message: wetzel(at)zapware.de: "Re: [SECURITY] [DSA 1475-1] new gforge packages fix cross site scripting"
In reply to: William Twomey: "Re: Why not have firewall rules by default?"
Next in thread: Jonas Andradas: "Re: Why not have firewall rules by default?"
Reply: Jonas Andradas: "Re: Why not have firewall rules by default?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:55:30 EDT