Re: Why not have firewall rules by default?

To: debian-security@lists.debian.org
Subject: Re: Why not have firewall rules by default?
From: "James Shupe" <shupej@hermetek.com>
Date: Wed, 23 Jan 2008 18:07:15 -0500 (EST)
Message-id: <[🔎] 3310.64.191.74.25.1201129635.squirrel@hermetek.com>
In-reply-to: <[🔎] 87ir1krxla.fsf@mid.deneb.enyo.de>
References: <[🔎] 47975AE5.80801@gmail.com> <[🔎] 20080123180815.GA20876@localhost.localdomain> <[🔎] 87ir1krxla.fsf@mid.deneb.enyo.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe Debian's method of handling iptables is perfect. if-up.d and its
counterparts provide a great means for scripting complex firewall sets.

For example, I have written a perl script that parses a custom config file
that defines certain IPs and ports and defines/enables a ruleset
automatically when the interface is brought up.

To maintain an iptables-save ruleset would be much more complex than
writing a one time script and editing a configuration file. It can, of
course, be argued that you can write custom scripts and run then via other
methods, but the way that Debian handles networking scripts creates a
warmer invite for this and simplifies this sort of thing.

On Wed, January 23, 2008 5:22 pm, Florian Weimer wrote:
> * Ondrej Zajicek:
>
>>> You could also have an 'ENABLED' variable like some files in
>>> /etc/default have (so that ports wouldn't be opened by default; the
>>> user would have to manually enable them for the port to be opened).
>>
>> Better way is just not start that daemon.
>
> The daemon might have been installed by a package dependency, more or
> less by accident.  Debian should have a policy that all daemons bind to
> the loopback interface by default, but as long as this is not the case,
> I can understand why people put paket filters on hosts as a safety net.
>
> On the other hand, at this stage, it's very difficult for Debian as a
> distribution to choose what firewall scripting framework should be used.
> (But I don't think this is worth the effort.)
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>

- -- 
James Shupe
HermeTek Network Solutions
http://www.hermetek.com
1.866.325.6207

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkeXyKMACgkQVwQZh6k43zooKgCdH4cGLKe5VNd5gqWzwUjqO0fj
/NYAoNhVw5dGC09NH7GbzSUp9xtrZTYC
=AVJo
-----END PGP SIGNATURE-----

----------------------------------------------------------------------

This Email is covered by the Electronic Communications Privacy Act,
18 U.S.C. 2510-2521 and is legally privileged. The information
contained in this Email is intended only for use of the individual
or entity named above. If the reader of this message is not the intended
recipient, or the employee or agent responsible to deliver it to the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately
notify us by telephone 1.866.325.6207 and destroy the original message.

Reply to:

Follow-Ups:
- Re: Why not have firewall rules by default?
  - From: Brent Clark <bclark@eccotours.biz>

References:
- Why not have firewall rules by default?
  - From: William Twomey <william.twomey@gmail.com>
- Re: Why not have firewall rules by default?
  - From: Ondrej Zajicek <santiago@crfreenet.org>
- Re: Why not have firewall rules by default?
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Why not have firewall rules by default?
Next by Date: Re: Why not have firewall rules by default?
Previous by thread: Re: Why not have firewall rules by default?
Next by thread: Re: Why not have firewall rules by default?
Index(es):
- Date
- Thread