Re: default firewall utility changes for Debian 11 bullseye

To: debian-devel@lists.debian.org
Subject: Re: default firewall utility changes for Debian 11 bullseye
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 19 Dec 2019 12:29:59 -0500
Message-id: <[🔎] 20191219172959.GB4228@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-devel@lists.debian.org
In-reply-to: <50a4f49d-04fa-7fa9-5bd2-677f59eb5726@debian.org>
References: <f7dd8417-a31b-73a8-b966-24167daee4f5@debian.org> <50a4f49d-04fa-7fa9-5bd2-677f59eb5726@debian.org>

Hi Arturo!

I know that this discussion took place some months ago, but I am just
now getting around to catching up on some old threads :-)

On Tue, Jul 30, 2019 at 01:52:30PM +0200, Arturo Borrero Gonzalez wrote:
> Ok, after a couple of weeks, lets try to summarize:
> 
> On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
> > 
> > This email contains 2 changes/proposals for Debian 11 bullseye:
> > 
> > 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> > important and iptables Priority: optional
> > 
> 
> Nobody seems to disagree with this point. So I will be doing this soon.
> 
It looks like the situation in sid has not changed yet:

(sid)root@build01:/tmp# apt-cache show iptables nftables | egrep 'Package|Version|Priority|^$'Package: iptables
Version: 1.8.4-1
Priority: important

Package: nftables
Version: 0.9.3-1
Priority: optional

Do you still intend to make the change in priorities?

> > 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> > desktop related tasksel tasks.
> > 
> 
> There are some mixed feelings about this. However I couldn't find any strong
> opinion against either.
> 
> What I would do regarding this is (just a suggestion):
> * raise priority of firewalld
> * document in-wiki what defaults are, and how to move away from them
> * include some documentation bits in other firewalling wrappers on how to deal
> with this default, i.e what needs to be changed in the system for ufw to work
> without interferences (disable firewalld?)
> 
I like the idea of documenting this all in a wiki.

[Side note: I maintain Shorewall in Debian and since the upstream author
announced his retirement eariler this year several of the most active
developers/community members (including me) have begun the process of
taking over the project from him.  One of the items we have discussed
support for nftables, so I can see that changing in the coming year,
making a wiki page a good choice for where to document Shorewall
integration with various Debian parts.]

Incidentally, the Debian Installation Guide makes no mention of
firewalls or even basic steps to secure the system.  If a wiki page is
developed that documents the various firewall integration options, it
would be nice if it became the basis of a new section in the
installation manual (perhaps under section 8, Next Steps and Where to Go
>From Here).  It may also be a good addition/improvement to the Securing
Debian Manual.

In any event, I am just offering some thoughts; perhaps they might be of
some use.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Prev by Date: Re: Debian Daily build installation fails with choosing language..
Next by Date: Re: default firewall utility changes for Debian 11 bullseye
Previous by thread: Bug#946982: ITP: ruby-jekyll-import -- import from various blogs to Jekyll format
Next by thread: Re: default firewall utility changes for Debian 11 bullseye
Index(es):
- Date
- Thread