Am 2008-01-23 09:19:01, schrieb William Twomey: > It's my understanding (and experience) that a Debian system by default > is vulnerable to SYN flooding (at least when running services) and other > such mischeif. I was curious as to why tcp_syncookies (and similar > things) are not enabled by default. Hmm, in three month I am using Debian GNU/linux since 9 years and was never synflooded or hacked and currenly I am maintaining a world wide network of 280 Servers and over 900 Workstations... Ind I have services running, but at least only those, which are REALY required and not more. > Many distros (RPM-based mostly from my experience) ask you during the > install if you'd like to enable firewall protection. I was curious if > debian was every going to have this as an option? Sorry, but Debian is NOT a "install and do not ask questions" distri. Here, the $USER has the choice of a couple of different firewall solutions and some $USER may use only an $EDITOR and hack some ipt lines down. > One solution could be to have a folder called /etc/security/iptables > that contains files that get passed to iptables at startup (in the same > way /etc/rc2.d gets read in numeric order). So you could have files like > 22ssh, 23ftp, etc. with iptable rules in each file. You could also have > an 'ENABLED' variable like some files in /etc/default have (so that > ports wouldn't be opened by default; the user would have to manually > enable them for the port to be opened). > > Then they'd just run /etc/init.d/iptables restart and the port would be > opened (flush the rules, reapply). Nice idea, but not flexible enough since it CAN conflict with most firewall solutions. > Even a central iptables-save format file that gets passed to iptables at > startup would be nice. It's easy enough to do manually, but would be > nice to see integrated with debian itself (packages managing their own > rules, etc.). But for most firewall solutions not usable... I have already tried the ipt-save/restor stuff on my routers but it let me drive crazy... > Is debian every going to introduce a better way of having iptables rules > be run at startup and easily saved/managed, or will this always be a > manual process? I think not. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Attachment:
signature.pgp
Description: Digital signature