Re: default firewall utility changes for Debian 11 bullseye
On Wed, Jul 31, 2019 at 04:27:24AM +0000, Scott Kitterman wrote:
> On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez <arturo@debian.org> wrote:
> >On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
> >> 2) introduce firewalld as the default firewalling wrapper in Debian,
> >> at least in desktop related tasksel tasks.
> >
> >There are some mixed feelings about this. However I couldn't find any
> >strong opinion against either.
> >
> >What I would do regarding this is (just a suggestion):
> >* raise priority of firewalld
> >* document in-wiki what defaults are, and how to move away from them
> >* include some documentation bits in other firewalling wrappers on how to
> >deal with this default, i.e what needs to be changed in the system for
> >ufw to work without interferences (disable firewalld?)
> >
> >I don't maintain/control firewalld/ufw so I can't do these changes myself
> >and will leave to Cyril/Michael/Jaime handle the situation for new
> >bullseye install as they see fit.
>
> Please don't install one by default. I suspect it will cause more trouble
> for end users than it's worth. Making sure our default install is
> severely limited in what ports it listens to is likely more broadly useful
> and less risky.
+1000.
A network firewall is useful. But why would someone want a _host_ firewall
for on any sane operating system? If a daemon is not supposed to listen on
the network, don't install it or configure it that way. If a process is
supposed to be contained and unable to use the network, contain it.
A port blocker just sabotages user's requests, requiring every configuration
action to be done twice.
An user who actually has a complex host setup needs basic skills to do so,
and those skills are more involved than installing a package would be.
Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian is one big family. Including that weird uncle
⢿⡄⠘⠷⠚⠋⠀ and ultra-religious in-laws.
⠈⠳⣄⠀⠀⠀⠀
Reply to: