[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: And now for something completely different... etch!

On Tue, 2005-07-06 at 01:03 +0200, Javier Fernández-Sanguino Peña wrote:
> [ Installation improvements ] 
> - Firewall configuration during installation (ala Fedora Core or SuSE):
>   module for d-i. Currently, the system is exposed just during installation
>   on some systems (empty root password?)

Right.  Especially for workstation installation something like below
would allow to connect from workstation to anywhere else, but not to
any servers ran on workstation.

# Already existing connections are allowed (incoming&related icmp too)
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# all outgoing traffic is allowed
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

My impression was that firewall setting is generally a messy business,
because there's too many packages that mess with it, usually assuming
they're the only ones who touch it.  This was, I think part of the
reason why /etc/init.d/iptables was removed (I still use it on all of
my old and newly installed machines, btw.)  But maybe I am wrong and
somebody else could provides more details here.

> - 'Status' in init.d scripts (#291148)

...and 'zap'.  Altough it's a solution from 'should never be needed'
dept. ask yourself how many times you had to killall -9 $something.
(not that killall is the right solution for zap!)

> - inetd begone! -> xinetd (better mechanism to control DoS, privilege
>   separation, etc.)

IIRC a mechanism for *netd switching had been discussed in Woody times,
then waited for Sarge and I believe we already had some preliminary
implementation but it's still not finished.  Other distros like PLD had
that years ago, btw.

> - Separate runlevels: 2 for multi, no net, 3 for multi no X, 4 for X, 4=5

Do we really need that?  I thought I could always
enable/disable/install/remove [xgk]dm.  And are these runlevels mandated
(or at least documented) by any standard (besides 'the RH way')?  Are
they at least consistent among ~"all distros besides Debian"?

> - Better package search mechanism (tags?) allowing free text search
>   in package management interfaces: "I want a program that does X"

Doesn't 'apt-cache search X' do exactly that?

Cheers,

			Grzegorz B. Prokopski
-- 
Grzegorz B. Prokopski           <gadek@sablevm.org>
SableVM - Free, LGPL'ed Java VM  http://sablevm.org
Why SableVM ?!?                  http://sablevm.org/wiki/Features
Debian GNU/Linux - the Free OS   http://www.debian.org
Reply to: