Re: Why not have firewall rules by default?
--On January 23, 2008 9:19:01 AM -0600 William Twomey
It's my understanding (and experience) that a Debian system by default is
vulnerable to SYN flooding (at least when running services) and other
such mischeif. I was curious as to why tcp_syncookies (and similar
things) are not enabled by default.
There was atleast at some point I believe evidence that some
platforms/firewalls didn't play well with SYN cookies. I could be wrong.
Many distros (RPM-based mostly from my experience) ask you during the
install if you'd like to enable firewall protection. I was curious if
debian was every going to have this as an option?
There are so many different choices of firewall management packages.
Shorewall is one I use, there are many others. Some of which don't play
well with extra things that some users may use like wondershaper. Debian
is still one of those distros that believes a little more in choice than
just pushing things down the users throat.
One solution could be to have a folder called /etc/security/iptables that
contains files that get passed to iptables at startup (in the same way
/etc/rc2.d gets read in numeric order). So you could have files like
22ssh, 23ftp, etc. with iptable rules in each file. You could also have
an 'ENABLED' variable like some files in /etc/default have (so that ports
wouldn't be opened by default; the user would have to manually enable
them for the port to be opened).
Then they'd just run /etc/init.d/iptables restart and the port would be
opened (flush the rules, reapply).
It's better to leave the service disabled, or even better, completely
uninstalled from a security standpoint, and from a DoS standpoint as well.
The Linux kernel isn't very efficient at processing firewall rules. Newer
kernels might be though (I honestly haven't looked as deeply into this in
late 2.6 as i did/do in 2.4...2.4 processes firewall rules strictly step by
Even a central iptables-save format file that gets passed to iptables at
startup would be nice. It's easy enough to do manually, but would be nice
to see integrated with debian itself (packages managing their own rules,
This much does exist. invoke-rc.d iptables save --- i'm not sure what
package the /etc/init.d/iptables script is in, seems to me like it was part
of the same package that provided the binaries.
Is debian every going to introduce a better way of having iptables rules
be run at startup and easily saved/managed, or will this always be a
Probably not, as, in the distro, there's at least one good firewall
management utility, and probably more than one. No need to reinvent the