Re: Why not have firewall rules by default?

Am 2008-01-23 09:19:01, schrieb William Twomey:
> It's my understanding (and experience) that a Debian system by default
> is vulnerable to SYN flooding (at least when running services) and other
> such mischeif. I was curious as to why tcp_syncookies (and similar
> things) are not enabled by default.

Hmm, in three month I am using Debian GNU/linux since 9 years and was never synflooded or hacked and currenly I am maintaining a world wide network of 280 Servers and over 900 Workstations...

Ind I have services running, but at least only those, which are REALY required and not more.

> Many distros (RPM-based mostly from my experience) ask you during the
> install if you'd like to enable firewall protection. I was curious if
> debian was every going to have this as an option?

Sorry, but Debian is NOT a "install and do not ask questions" distri. Here, the $USER has the choice of a couple of different firewall solutions and some $USER may use only an $EDITOR and hack some ipt lines down.

> One solution could be to have a folder called /etc/security/iptables
> that contains files that get passed to iptables at startup (in the same
> way /etc/rc2.d gets read in numeric order). So you could have files like
> 22ssh, 23ftp, etc. with iptable rules in each file. You could also have
> an 'ENABLED' variable like some files in /etc/default have (so that
> ports wouldn't be opened by default; the user would have to manually
> enable them for the port to be opened).
>
> Then they'd just run /etc/init.d/iptables restart and the port would be
> opened (flush the rules, reapply).

Nice idea, but not flexible enough since it CAN conflict with most firewall solutions.

> Even a central iptables-save format file that gets passed to iptables at
> startup would be nice. It's easy enough to do manually, but would be
> nice to see integrated with debian itself (packages managing their own
> rules, etc.).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

But for most firewall solutions not usable...

I have already tried the ipt-save/restor stuff on my routers but it let me drive crazy...

> Is debian every going to introduce a better way of having iptables rules
> be run at startup and easily saved/managed, or will this always be a
> manual process?

I think not.

Thanks, Greetings and nice Day

    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, 
http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSN LinuxMichi
0033/6/61925193    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org