Re: default firewall utility changes for Debian 11 bullseye

To: Arturo Borrero Gonzalez <arturo@debian.org>
Cc: debian-devel@lists.debian.org, Cyril Brulebois <kibi@debian.org>, Michael Biebl <biebl@debian.org>
Subject: Re: default firewall utility changes for Debian 11 bullseye
From: Jamie Strandboge <jamie@strandboge.com>
Date: Wed, 17 Jul 2019 20:13:20 -0500
Message-id: <[🔎] 20190718011320.GS17244@iolanthe>
Reply-to: Jamie Strandboge <jamie@strandboge.com>
In-reply-to: <[🔎] f7dd8417-a31b-73a8-b966-24167daee4f5@debian.org>
References: <[🔎] f7dd8417-a31b-73a8-b966-24167daee4f5@debian.org>

On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:

> Hi there,
> 
> as you may know, Debian 10 buster includes the iptables-nft utility by default,
> which is an iptables flavor that uses the nf_tables kernel subsystem.
> Is intended to help people migrate from iptables to nftables.
> 
> For the next release cycle I propose we move this default event further.
> As of this email, iptables [0] is Priority: important and nftables [1] is
> Priority: optional in both buster and bullseye. The important value means the
> package gets installed by default in every Debian install.

As the upstream ufw developer, this makes since to me.

> Also, I believe the days of using a low level tool for directly configuring the
> firewall may be gone, at least for desktop use cases. It seems the industry more
> or less agreed on using firewalld [2] as a wrapper for the system firewall.
> There are plenty of system services that integrate with firewalld anyway [3].
> By the way, firewalld is using (or should be using) nftables by default at this
> point.
>
> This email contains 2 changes/proposals for Debian 11 bullseye:
> 
> 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> important and iptables Priority: optional

Makes sense.

> 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> desktop related tasksel tasks.

I'm obviously biased, but anecdotally I have had quite a few people say
disparaging things about firewalld, particularly from server admins. I'm not
really in a position for people to sing firewalld's praises to me, so take that
for what it is worth.

IIRC, network-manager has a fair frontend for firewalld that could be nice for
desktop users if Debian wants that tight integration. That said, I can say that
the ufw packaging makes it so it stays out of the way for people who want to
use other firewall applications. I encourage Debian in whatever choice is made
to make sure that the experience degrades gracefully if someone chooses
something other than the default.

-- 
Email: jamie@strandboge.com
IRC:   jdstrand

Reply to:

References:
- default firewall utility changes for Debian 11 bullseye
  - From: Arturo Borrero Gonzalez <arturo@debian.org>

Prev by Date: Bug#932330: ITP: python-zipp -- pathlib-compatible Zipfile object wrapper
Next by Date: Re: default firewall utility changes for Debian 11 bullseye
Previous by thread: Re: default firewall utility changes for Debian 11 bullseye
Next by thread: Re: default firewall utility changes for Debian 11 bullseye
Index(es):
- Date
- Thread