Re: Why not have firewall rules by default?

• Javier Fernández-Sanguino Peña:

> On Wed, Jan 23, 2008 at 11:22:41PM +0100, Florian Weimer wrote:
>> The daemon might have been installed by a package dependency, more or
>> less by accident. Debian should have a policy that all daemons bind to
>> the loopback interface by default, but as long as this is not the case,
>> I can understand why people put paket filters on hosts as a safety net.
>
> Debian has a policy to install as few network services as possible in a
> default install and bind them to the loopback interface if possible.

Where is this described in Policy?

> Please check out section 3.6 of the "Securing Debian Manual". IIRC:
>
> - a default install (i.e. one in which you just press "Enter" all the way and
> select no tasks) will get you OpenSSH, Exim and portmap, with Exim bound to
> the loopback interface.

portmap is typically not bound to the loopback interface. It's mostly used for fam, I think, so this should really be feasible. (But the localhost restriction patches for Sun RPC are broken anyway, AFIACS.)

There are other systems where the web server listens on localhost only (if you explicitly install it, which you still need to do). Given that, I don't see that Debian follows a restrictive policy in this area, contrary to what you suggested. This isn't necessarily a bad thing, though. Received on Mon Jan 28 13:06:04 2008