Hi Arturo, And thanks for contacting us. Arturo Borrero Gonzalez <arturo@debian.org> (2019-07-15): > AFAIK iptables is installed by default by the debian installer up to > Debian 10 Buster. Right, because it's Priority: important. > I would like to start exploring dropping the iptables default for > Debian 11. I'm referring to don't install the package by default in > any way: > > * not as part of the base operating system > * not in any task by tasksel > * downgrade priority/importance of the package (currently Priority: > important) I don't think it's referenced directly anywhere except through its priority? (I'm going to pretend I'm not seeing the woody/sarge and hoary/warty scripts in debootstrap. ;)) > If we still need a default low-level firewalling tool installed by > default I would suggest we switch to nftables. Also, firewalld should > be considered as a sensible wrapper at this point, more or less in > sync with what other distros are doing. > > So my proposal would be to do something like: > > * raise package priority of nftables > * include nftables in debian installer/base operating system/tasksel Wouldn't bumping its priority be sufficient, together with lowering it for iptables? > * introduce firewalld at least into desktop tasksel tasks Maybe seeking some kind of consensus on dd@ would be nice before this is considered? At least asking for some feedback from desktop maintainers would be more than welcome. > PS: By default Debian Buster already uses iptables-nft, a version of > iptables that uses the nf_tables kernel engine. For those who didn't know about that part, see the release notes, or update-alternatives --config iptables; one can choose between the legacy and the nft variants (the former is the historical implementation, the latter is the default starting with buster). Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature