[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why not have firewall rules by default?

Am 2008-01-23 09:19:01, schrieb William Twomey:
> It's my understanding (and experience) that a Debian system by default
> is vulnerable to SYN flooding (at least when running services) and other
> such mischeif. I was curious as to why tcp_syncookies (and similar
> things) are not enabled by default.

Hmm, in three month I am using Debian GNU/linux since 9 years and was
never synflooded or hacked and currenly I am maintaining a world wide
network of 280 Servers and over 900 Workstations...

Ind I have services running, but at least only those, which are REALY
required and not more.

> Many distros (RPM-based mostly from my experience) ask you during the
> install if you'd like to enable firewall protection. I was curious if
> debian was every going to have this as an option?

Sorry, but Debian is NOT a "install and do not ask questions" distri.
Here, the $USER has the choice of a couple of different firewall
solutions and some $USER may use only an $EDITOR and hack some ipt
lines down.

> One solution could be to have a folder called /etc/security/iptables
> that contains files that get passed to iptables at startup (in the same
> way /etc/rc2.d gets read in numeric order). So you could have files like
> 22ssh, 23ftp, etc. with iptable rules in each file. You could also have
> an 'ENABLED' variable like some files in /etc/default have (so that
> ports wouldn't be opened by default; the user would have to manually
> enable them for the port to be opened).
> Then they'd just run /etc/init.d/iptables restart and the port would be
> opened (flush the rules, reapply).

Nice idea, but not flexible enough since it CAN conflict with most
firewall solutions.

> Even a central iptables-save format file that gets passed to iptables at
> startup would be nice. It's easy enough to do manually, but would be
> nice to see integrated with debian itself (packages managing their own
> rules, etc.).

But for most firewall solutions not usable...

I have already tried the ipt-save/restor stuff on my routers but it let
me drive crazy...

> Is debian every going to introduce a better way of having iptables rules
> be run at startup and easily saved/managed, or will this always be a
> manual process?

I think not.

Thanks, Greetings and nice Day
   Michelle Konzack
   Tamay Dogan Network
   Debian GNU/Linux Consultant

What about Firestarter? (www.fs-security.com). Is it a good solution to a personal use firewall?
-Ferg @ www.FergSoft.com
Linux User #463470 at counter.li.org


Reply to: