Re: default firewall utility changes for Debian 11 bullseye
Hi Arturo!
I know that this discussion took place some months ago, but I am just
now getting around to catching up on some old threads :-)
On Tue, Jul 30, 2019 at 01:52:30PM +0200, Arturo Borrero Gonzalez wrote:
> Ok, after a couple of weeks, lets try to summarize:
>
> On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
> >
> > This email contains 2 changes/proposals for Debian 11 bullseye:
> >
> > 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> > important and iptables Priority: optional
> >
>
> Nobody seems to disagree with this point. So I will be doing this soon.
>
It looks like the situation in sid has not changed yet:
(sid)root@build01:/tmp# apt-cache show iptables nftables | egrep 'Package|Version|Priority|^$'Package: iptables
Version: 1.8.4-1
Priority: important
Package: nftables
Version: 0.9.3-1
Priority: optional
Do you still intend to make the change in priorities?
> > 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> > desktop related tasksel tasks.
> >
>
> There are some mixed feelings about this. However I couldn't find any strong
> opinion against either.
>
> What I would do regarding this is (just a suggestion):
> * raise priority of firewalld
> * document in-wiki what defaults are, and how to move away from them
> * include some documentation bits in other firewalling wrappers on how to deal
> with this default, i.e what needs to be changed in the system for ufw to work
> without interferences (disable firewalld?)
>
I like the idea of documenting this all in a wiki.
[Side note: I maintain Shorewall in Debian and since the upstream author
announced his retirement eariler this year several of the most active
developers/community members (including me) have begun the process of
taking over the project from him. One of the items we have discussed
support for nftables, so I can see that changing in the coming year,
making a wiki page a good choice for where to document Shorewall
integration with various Debian parts.]
Incidentally, the Debian Installation Guide makes no mention of
firewalls or even basic steps to secure the system. If a wiki page is
developed that documents the various firewall integration options, it
would be nice if it became the basis of a new section in the
installation manual (perhaps under section 8, Next Steps and Where to Go
>From Here). It may also be a good addition/improvement to the Securing
Debian Manual.
In any event, I am just offering some thoughts; perhaps they might be of
some use.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: