Re: Release update
* Marc Haber (mh+debian-devel@zugschlus.de) [040331 10:10]:
> On Tue, 30 Mar 2004 02:38:26 +0200, Javier Fernández-Sanguino Peña
> <jfs@computer.org> wrote:
> >Iptables is, or at least I think it is. However, the maintainer, in
> >response to #212692, said:
> >
> >"iptables is not a firewall."
> >
> >Feel free to reopen that bug report, if firewall configuration should be
> >part of the base install, it should be done by a good default rule in the
> >iptables scripts.
> No!
>
> That would make all the firewall scripts out there more complex, and
> it would probably break them on introduction and upgrades. If we
> insist on shipping an unnecessary firewall with the base system, we
> _MUST_ make it easily uninstallable while retaining
> /usr/sbin/iptables. And surely a lot of systems is going to break on
> upgrade if the current iptables package is suddenly replaced by one
> establishing a non-empty, non-permit-all rule set on installation.
If we consider installing some firewall script by default, than this
should only be done by d-i, and not by a "normal" upgrade. Via this
way, there is no risk for existing setups, and it can quite easily be
disabled. If this easy firewall is just some new package, than it's
also quite easy to enhance existing installations with it.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Reply to: