Re: Why not have firewall rules by default?

To: debian-security@lists.debian.org
Subject: Re: Why not have firewall rules by default?
From: Michelle Konzack <linux4michelle@freenet.de>
Date: Fri, 25 Jan 2008 22:57:53 +0100
Message-id: <[🔎] 20080125215753.GO696@freenet.de>
In-reply-to: <[🔎] 47975AE5.80801@gmail.com>
References: <[🔎] 47975AE5.80801@gmail.com>

Am 2008-01-23 09:19:01, schrieb William Twomey:
> It's my understanding (and experience) that a Debian system by default 
> is vulnerable to SYN flooding (at least when running services) and other 
> such mischeif. I was curious as to why tcp_syncookies (and similar 
> things) are not enabled by default.

Hmm, in three month I am using Debian GNU/linux since 9 years and was
never synflooded or hacked and currenly I am maintaining a world wide
network of 280 Servers and over 900 Workstations...

Ind I have services running, but at least only those, which are REALY
required and not more.

> Many distros (RPM-based mostly from my experience) ask you during the 
> install if you'd like to enable firewall protection. I was curious if 
> debian was every going to have this as an option?

Sorry, but Debian is NOT a "install and do not ask questions" distri.
Here, the $USER has the choice of a couple of different firewall
solutions and some $USER may use only an $EDITOR and hack some ipt
lines down.

> One solution could be to have a folder called /etc/security/iptables 
> that contains files that get passed to iptables at startup (in the same 
> way /etc/rc2.d gets read in numeric order). So you could have files like 
> 22ssh, 23ftp, etc. with iptable rules in each file. You could also have 
> an 'ENABLED' variable like some files in /etc/default have (so that 
> ports wouldn't be opened by default; the user would have to manually 
> enable them for the port to be opened). 
> 
> Then they'd just run /etc/init.d/iptables restart and the port would be 
> opened (flush the rules, reapply).

Nice idea, but not flexible enough since it CAN conflict with most
firewall solutions.

> Even a central iptables-save format file that gets passed to iptables at 
> startup would be nice. It's easy enough to do manually, but would be 
> nice to see integrated with debian itself (packages managing their own 
> rules, etc.).

But for most firewall solutions not usable...

I have already tried the ipt-save/restor stuff on my routers but it let
me drive crazy...

> Is debian every going to introduce a better way of having iptables rules 
> be run at startup and easily saved/managed, or will this always be a 
> manual process?

I think not.

Thanks, Greetings and nice Day
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSN LinuxMichi
0033/6/61925193    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

Attachment: signature.pgp
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Why not have firewall rules by default?
  - From: "Chris Ferguson" <ferg@fergsoft.com>

References:
- Why not have firewall rules by default?
  - From: William Twomey <william.twomey@gmail.com>

Prev by Date: Security review wanted
Next by Date: strange output for command ps
Previous by thread: Re: Why not have firewall rules by default?
Next by thread: Re: Why not have firewall rules by default?
Index(es):
- Date
- Thread