On Wed, Jan 23, 2008 at 11:22:41PM +0100, Florian Weimer wrote: > The daemon might have been installed by a package dependency, more or > less by accident. Debian should have a policy that all daemons bind to > the loopback interface by default, but as long as this is not the case, > I can understand why people put paket filters on hosts as a safety net. Debian has a policy to install as few network services as possible in a default install and bind them to the loopback interface if possible. Please check out section 3.6 of the "Securing Debian Manual". IIRC: - a default install (i.e. one in which you just press "Enter" all the way and select no tasks) will get you OpenSSH, Exim and portmap, with Exim bound to the loopback interface. - through an expert installation you can get to a system with no services. - a standard desktop installation adds to the standard installation the printing (cups, but can be bound to loopback) and the autodiscovery (avahi) network services. Regards Javier PS: FWIW similar design decisions were taken on Ubuntu. They started with a 'no open ports policy' but switched recently to a strict, but more open policy, see https://wiki.ubuntu.com/DefaultNetworkServices Notice, however that the list of network services in Ubuntu was further reduced in the default install as it was (originally) more oriented toward Desktop systems (and not fully UNIX systems) Now they are even thinking on including a firewall in their default install (see https://wiki.ubuntu.com/UbuntuFirewall). Who knows, maybe Debian will reuse that in our default Desktop install.
Attachment:
signature.asc
Description: Digital signature