Re: Why not have firewall rules by default?

On Wed, Jan 23, 2008 at 11:22:41PM +0100, Florian Weimer wrote:
> The daemon might have been installed by a package dependency, more or
> less by accident. Debian should have a policy that all daemons bind to
> the loopback interface by default, but as long as this is not the case,
> I can understand why people put paket filters on hosts as a safety net.

Debian has a policy to install as few network services as possible in a default install and bind them to the loopback interface if possible. Please check out section 3.6 of the "Securing Debian Manual". IIRC:

• a default install (i.e. one in which you just press "Enter" all the way and select no tasks) will get you OpenSSH, Exim and portmap, with Exim bound to the loopback interface.
• through an expert installation you can get to a system with no services.
• a standard desktop installation adds to the standard installation the printing (cups, but can be bound to loopback) and the autodiscovery (avahi) network services.

Regards

Javier

PS: FWIW similar design decisions were taken on Ubuntu. They started with a 'no open ports policy' but switched recently to a strict, but more open policy, see https://wiki.ubuntu.com/DefaultNetworkServices

Notice, however that the list of network services in Ubuntu was further reduced in the default install as it was (originally) more oriented toward Desktop systems (and not fully UNIX systems)

Now they are even thinking on including a firewall in their default install (see https://wiki.ubuntu.com/UbuntuFirewall). Who knows, maybe Debian will reuse that in our default Desktop install.

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: Digital signature

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek