Re: secure installation
"R. W. Rodolico" <email@example.com> writes:
> For workstations, I tend to use Kubuntu. On that, yes, I want a
> firewall, and since I recommend it to anyone who asks (and even have my
> sales staff using it), a default firewall is a Good Thing.
The part that concerns me about installing a firewall by default is that
people seem to put irrational trust in a firewall and use it as an excuse
to not address other security issues. The *best* thing to do is to design
secure services that either don't randomly listen to the network or that
deal with network traffic in a secure fashion, and I'd really like to
maintain Debian's emphasis there. Installing a firewall, which often does
little or nothing, strikes me as cargo cult security, and cargo cult
security can be worse than useless.
A well-designed and reviewed set of iptables rules provides additional
defense in depth and we do deploy iptables on all of our servers and
manage those rules as part of their Puppet model, but it's not something
that you can tell an average user to just apt-get install and have work in
a way that offers any real security, IMO.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>