Re: Why not have firewall rules by default?

To: debian-security@lists.debian.org
Subject: Re: Why not have firewall rules by default?
From: Michael Loftis <mloftis@modwest.com>
Date: Wed, 23 Jan 2008 08:29:25 -0700
Message-id: <[🔎] 8A0AA67A76C9E2B8277B2F98@ZOP-MACTEL-2.local>
In-reply-to: <[🔎] 47975AE5.80801@gmail.com>
References: <[🔎] 47975AE5.80801@gmail.com>

--On January 23, 2008 9:19:01 AM -0600 William Twomey<william.twomey@gmail.com> wrote:

It's my understanding (and experience) that a Debian system by default is
vulnerable to SYN flooding (at least when running services) and other
such mischeif. I was curious as to why tcp_syncookies (and similar
things) are not enabled by default.

There was atleast at some point I believe evidence that someplatforms/firewalls didn't play well with SYN cookies. I could be wrong.

Many distros (RPM-based mostly from my experience) ask you during the
install if you'd like to enable firewall protection. I was curious if
debian was every going to have this as an option?

There are so many different choices of firewall management packages.Shorewall is one I use, there are many others. Some of which don't playwell with extra things that some users may use like wondershaper. Debianis still one of those distros that believes a little more in choice thanjust pushing things down the users throat.


One solution could be to have a folder called /etc/security/iptables that
contains files that get passed to iptables at startup (in the same way
/etc/rc2.d gets read in numeric order). So you could have files like
22ssh, 23ftp, etc. with iptable rules in each file. You could also have
an 'ENABLED' variable like some files in /etc/default have (so that ports
wouldn't be opened by default; the user would have to manually enable
them for the port to be opened).
 Then they'd just run /etc/init.d/iptables restart and the port would be
opened (flush the rules, reapply).

It's better to leave the service disabled, or even better, completelyuninstalled from a security standpoint, and from a DoS standpoint as well.The Linux kernel isn't very efficient at processing firewall rules. Newerkernels might be though (I honestly haven't looked as deeply into this inlate 2.6 as i did/do in 2.4...2.4 processes firewall rules strictly step bystep)


Even a central iptables-save format file that gets passed to iptables at
startup would be nice. It's easy enough to do manually, but would be nice
to see integrated with debian itself (packages managing their own rules,
etc.).

This much does exist. invoke-rc.d iptables save --- i'm not sure whatpackage the /etc/init.d/iptables script is in, seems to me like it was partof the same package that provided the binaries.

Is debian every going to introduce a better way of having iptables rules
be run at startup and easily saved/managed, or will this always be a
manual process?

Probably not, as, in the distro, there's at least one good firewallmanagement utility, and probably more than one. No need to reinvent thewheel.

Reply to:

Follow-Ups:
- Re: Why not have firewall rules by default?
  - From: Rolf Kutz <rk@vzsze.de>
- Re: Why not have firewall rules by default?
  - From: maximilian attems <max@stro.at>
- Re: Why not have firewall rules by default?
  - From: Vincent Deffontaines <vincent@gryzor.com>

References:
- Why not have firewall rules by default?
  - From: William Twomey <william.twomey@gmail.com>

Prev by Date: Re: Why not have firewall rules by default?
Next by Date: Re: Why not have firewall rules by default?
Previous by thread: Re: Why not have firewall rules by default?
Next by thread: Re: Why not have firewall rules by default?
Index(es):
- Date
- Thread