Re: Why not have firewall rules by default?
William Twomey wrote:
Debian haven't any open services by default, except portmapper and
behind portmapper aren't any services. So no need for host firewall.
But isn't it reasonable to assume that most people will be installing
services? Even a desktop user is likely to enable SSH and maybe even
apache for convenience. And I'm not asking for this to be mandatory;
just an option during the initial install.
If all services are allowed from host to anywhere firewall cannot do
nothing in case when host it compromised and is very difficult made
default rules for that. If user install example apache we need
mechanism which automatically allow connection/s from outside to
service/s. What is different? Host without firewall and port 80 open
or host with firewall and rule which open port 80?
It's less likely for the host to be compromised if it's behind a good
firewall, don't you think?
Yes of course, but i think at perimeter firewall is for that expect you
really need tight server installation.
For example, if only port 22 is allowed (after they install SSH) and
they foolishly run a malicious program/script as root that creates a
backdoor at some random portOr even restrict some outgoing ports
(common rootkits, anything over port 1024 perhaps?)
If you restrict all over port 1024 you cannot use your computer :)
myhost:34873 otherhost:ssh ESTABLISHED
otherhost:22 myhost:34873 ESTABLISHED
This is reason why use statefull inspection at perimeter firewall. It's
open high port/s related a allowed established connection and keep other
high port closed if you compare to old router's access list, only ports
< 1024 can filtered. Iptables have statefull capabilties.
http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf
If you have rootkit with root permissions it can disable your firewall
or connect with normal client software to anywhere. So in host firewall
you must restrict outside and inside port/s and this is nightmare
maintain at normal user desktop. Compare Windows Antivirus/Firewall
softwares and why it ask "This program tries connect to internet, allow
or deny". Yes many of Windows firewalls are packet filters ie. all high
ports open
Normally this kind systems are used only servers when needed really
tight security.
A few prompts during the installation would be able to make a suitable
firewall script for most users (and other users would choose not to
use it).
If this is needed/wanted to Debian, no problems, but remember obscure
isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy made
and maintain firewall/s at Linux and all of these are regular Debian
packages. That is true at there should be more information about
firewall possibilities example at
http://www.debian.org/doc/manuals/securing-debian-howto/
I like Debian because it don't tried install for me selinux, firewalls
and all bells and whistles. This isn't sometimes remember at some
distributions :) I can choose myself which is suitable for me.
Regards, Riku
Reply to: