Re: And now for something completely different... etch!
On Tue, 2005-07-06 at 01:03 +0200, Javier Fernández-Sanguino Peña wrote:
> [ Installation improvements ]
> - Firewall configuration during installation (ala Fedora Core or SuSE):
> module for d-i. Currently, the system is exposed just during installation
> on some systems (empty root password?)
Right. Especially for workstation installation something like below
would allow to connect from workstation to anywhere else, but not to
any servers ran on workstation.
# Already existing connections are allowed (incoming&related icmp too)
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# all outgoing traffic is allowed
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
My impression was that firewall setting is generally a messy business,
because there's too many packages that mess with it, usually assuming
they're the only ones who touch it. This was, I think part of the
reason why /etc/init.d/iptables was removed (I still use it on all of
my old and newly installed machines, btw.) But maybe I am wrong and
somebody else could provides more details here.
> - 'Status' in init.d scripts (#291148)
...and 'zap'. Altough it's a solution from 'should never be needed'
dept. ask yourself how many times you had to killall -9 $something.
(not that killall is the right solution for zap!)
> - inetd begone! -> xinetd (better mechanism to control DoS, privilege
> separation, etc.)
IIRC a mechanism for *netd switching had been discussed in Woody times,
then waited for Sarge and I believe we already had some preliminary
implementation but it's still not finished. Other distros like PLD had
that years ago, btw.
> - Separate runlevels: 2 for multi, no net, 3 for multi no X, 4 for X, 4=5
Do we really need that? I thought I could always
enable/disable/install/remove [xgk]dm. And are these runlevels mandated
(or at least documented) by any standard (besides 'the RH way')? Are
they at least consistent among ~"all distros besides Debian"?
> - Better package search mechanism (tags?) allowing free text search
> in package management interfaces: "I want a program that does X"
Doesn't 'apt-cache search X' do exactly that?
Grzegorz B. Prokopski
Grzegorz B. Prokopski <firstname.lastname@example.org>
SableVM - Free, LGPL'ed Java VM http://sablevm.org
Why SableVM ?!? http://sablevm.org/wiki/Features
Debian GNU/Linux - the Free OS http://www.debian.org