Re: Why not have firewall rules by default?

[Riku Valli <riku.valli@vallit.fi>]

William Twomey wrote:
> > Debian haven't any open services by default, except portmapper and 
> > behind portmapper aren't any services. So no need for host firewall.
> But isn't it reasonable to assume that most people will be installing 
> services? Even a desktop user is likely to enable SSH and maybe even 
> apache for convenience.  And I'm not asking for this to be mandatory; 
> just an option during the initial install.
> > If all services are allowed from host to anywhere firewall cannot do 
> > nothing in case when host it compromised and is very difficult made 
> > default rules for that. If user install example apache we need 
> > mechanism which automatically allow connection/s  from outside to 
> > service/s. What is different? Host without firewall and port 80 open 
> > or host with firewall and rule which open port 80?
> It's less likely for the host to be compromised if it's behind a good 
> firewall, don't you think? 
Yes of course, but i think at perimeter firewall is for that expect you 
really need tight server installation.

> For example, if only port 22 is allowed (after they install SSH) and 
> they foolishly run a malicious program/script as root that creates a 
> backdoor at some random portOr even restrict some outgoing ports 
> (common rootkits, anything over port 1024 perhaps?)

If you restrict all over port 1024 you cannot use your computer :)

myhost:34873          otherhost:ssh         ESTABLISHED
otherhost:22            myhost:34873         ESTABLISHED


This is reason why use statefull inspection at perimeter firewall. It's 
open high port/s related a allowed established connection and keep other 
high port closed if you compare to old router's access list, only ports 
< 1024 can filtered. Iptables have statefull capabilties.

http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf

If you have rootkit with root permissions it can disable your firewall 
or connect with normal client software to anywhere. So in host firewall 
you must restrict outside and inside port/s and this is nightmare 
maintain at normal user desktop. Compare Windows Antivirus/Firewall 
softwares and why it ask "This program tries connect to internet, allow 
or deny". Yes many of Windows firewalls are packet filters ie. all high 
ports open

Normally this kind systems are used only servers when needed really 
tight security.

> A few prompts during the installation would be able to make a suitable 
> firewall script for most users (and other users would choose not to 
> use it).
If this is needed/wanted to Debian, no problems, but remember obscure 
isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy made 
and maintain firewall/s at Linux and all of these are regular Debian 
packages. That is true at there should be more information about 
firewall possibilities example at 
http://www.debian.org/doc/manuals/securing-debian-howto/

I like Debian because it don't tried install for me selinux, firewalls 
and all bells and whistles. This isn't sometimes remember at some 
distributions :) I can choose myself which is suitable for me.

Regards, Riku
> >