[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why not have firewall rules by default?

--On January 23, 2008 9:19:01 AM -0600 William Twomey <william.twomey@gmail.com> wrote:

It's my understanding (and experience) that a Debian system by default is
vulnerable to SYN flooding (at least when running services) and other
such mischeif. I was curious as to why tcp_syncookies (and similar
things) are not enabled by default.

There was atleast at some point I believe evidence that some platforms/firewalls didn't play well with SYN cookies. I could be wrong.

Many distros (RPM-based mostly from my experience) ask you during the
install if you'd like to enable firewall protection. I was curious if
debian was every going to have this as an option?

There are so many different choices of firewall management packages. Shorewall is one I use, there are many others. Some of which don't play well with extra things that some users may use like wondershaper. Debian is still one of those distros that believes a little more in choice than just pushing things down the users throat.

One solution could be to have a folder called /etc/security/iptables that
contains files that get passed to iptables at startup (in the same way
/etc/rc2.d gets read in numeric order). So you could have files like
22ssh, 23ftp, etc. with iptable rules in each file. You could also have
an 'ENABLED' variable like some files in /etc/default have (so that ports
wouldn't be opened by default; the user would have to manually enable
them for the port to be opened).
 Then they'd just run /etc/init.d/iptables restart and the port would be
opened (flush the rules, reapply).

It's better to leave the service disabled, or even better, completely uninstalled from a security standpoint, and from a DoS standpoint as well. The Linux kernel isn't very efficient at processing firewall rules. Newer kernels might be though (I honestly haven't looked as deeply into this in late 2.6 as i did/do in 2.4...2.4 processes firewall rules strictly step by step)

Even a central iptables-save format file that gets passed to iptables at
startup would be nice. It's easy enough to do manually, but would be nice
to see integrated with debian itself (packages managing their own rules,

This much does exist. invoke-rc.d iptables save --- i'm not sure what package the /etc/init.d/iptables script is in, seems to me like it was part of the same package that provided the binaries.

Is debian every going to introduce a better way of having iptables rules
be run at startup and easily saved/managed, or will this always be a
manual process?

Probably not, as, in the distro, there's at least one good firewall management utility, and probably more than one. No need to reinvent the wheel.

Reply to: