[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why not have firewall rules by default?

William Twomey wrote:

Debian haven't any open services by default, except portmapper and behind portmapper aren't any services. So no need for host firewall.
But isn't it reasonable to assume that most people will be installing services? Even a desktop user is likely to enable SSH and maybe even apache for convenience. And I'm not asking for this to be mandatory; just an option during the initial install.

If all services are allowed from host to anywhere firewall cannot do nothing in case when host it compromised and is very difficult made default rules for that. If user install example apache we need mechanism which automatically allow connection/s from outside to service/s. What is different? Host without firewall and port 80 open or host with firewall and rule which open port 80?
It's less likely for the host to be compromised if it's behind a good firewall, don't you think?
Yes of course, but i think at perimeter firewall is for that expect you really need tight server installation.

For example, if only port 22 is allowed (after they install SSH) and they foolishly run a malicious program/script as root that creates a backdoor at some random portOr even restrict some outgoing ports (common rootkits, anything over port 1024 perhaps?)

If you restrict all over port 1024 you cannot use your computer :)

myhost:34873          otherhost:ssh         ESTABLISHED
otherhost:22            myhost:34873         ESTABLISHED

This is reason why use statefull inspection at perimeter firewall. It's open high port/s related a allowed established connection and keep other high port closed if you compare to old router's access list, only ports < 1024 can filtered. Iptables have statefull capabilties.


If you have rootkit with root permissions it can disable your firewall or connect with normal client software to anywhere. So in host firewall you must restrict outside and inside port/s and this is nightmare maintain at normal user desktop. Compare Windows Antivirus/Firewall softwares and why it ask "This program tries connect to internet, allow or deny". Yes many of Windows firewalls are packet filters ie. all high ports open

Normally this kind systems are used only servers when needed really tight security.

A few prompts during the installation would be able to make a suitable firewall script for most users (and other users would choose not to use it).
If this is needed/wanted to Debian, no problems, but remember obscure isn't security. With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy made and maintain firewall/s at Linux and all of these are regular Debian packages. That is true at there should be more information about firewall possibilities example at http://www.debian.org/doc/manuals/securing-debian-howto/

I like Debian because it don't tried install for me selinux, firewalls and all bells and whistles. This isn't sometimes remember at some distributions :) I can choose myself which is suitable for me.

Regards, Riku

Reply to: