On Wed, Sep 21, 2005 at 04:34:49AM -0700, Steve Langasek wrote: > I don't remember any such rationale ever being given; IIRC, ljlane changed > it in response to pressure from users, who may have objected for any number > of reasons. The presence of an optional startup script for iptables doesn't That's not what happened IMHO. ljlane removed them because he didn't want to have any built-in firewall functionality in iptables. He wanted the package to provide just the software itself. You might want to consider checking out the maintainer response to #212692. > preclude having per-interface rules, anyway; and one may have a need for > both per-interface rules *and* static rules that should always be loaded... IIRC the startup scripts were removed because the maintainer believed them to be a kludge and actively encouraged users to use firewall packages instead of the built-in functionality initially added in the iptables package. Notice that iptables' current README.Debian file has changed since I filed bug #307934. Now the maintainer does not mention firewall packages at all there. > Anyway, this is still in the pre-proposal stage and needs plenty more work, > but since the topic has come up: <http://wiki.debian.org/FirewallByDefault>. > Feel free to add comments. :) How about pointing to the "Adding firewall capabilities" section of the Securing Manual? Available at http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup Also fixing #324593 might be relevant here as some network security features are configered at the kernel level. I tried to describe this in the "Securing network access" section of the Securing Manual: http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-network-secure Regards Javier
Attachment:
signature.asc
Description: Digital signature