Re: Debian secure by default?

[Lee Glidewell <lee.glidewell@gmail.com>]

On Friday 16 May 2008 07:39:27 pm lostson wrote:
> On Fri, 2008-05-16 at 19:09 -0700, Lee Glidewell wrote:
> > On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote:
> > > On Friday 16 May 2008 07:01:38 pm lostson wrote:
> > > >  My 2 cents a default firewall would be nice
> > >
> > > You mean like Windows has?  How about not.  Here's why:
> > > http://samspade.org/d/firewalls.html
> >
> > The money quote from that link:
> > "So... what does a 'personal firewall' actually do? Well, effectively it
> > listens on all the ports on your system. This provides no real additional
> > security over turning off the services that you don't use."
> >
> > The nature and purpose of a "firewall" seems to be greatly misunderstood.
> > Personally, I think security vendor hype is as much to blame as naivete.
> >
> > Lee
>
>  So basically a firewall is useless ?
>
>  LostSon

Well, no, I wouldn't go that far. I would say, however, that a generic, 
all-purpose software firewall isn't going improve Debian's "out of the box" 
security. 

If you know what you're doing, on the other hand, packet filtering software is 
incredibly useful. The point about the hardware firewalls boils down to two 
facts:
1) If you're serious about security, you should separate services. This means 
giving iptables its own box (e.g., a retail NAT router) rather than assigning 
a workstation to double-duty.
2) If you don't want to set up your own filtering rules, a retail NAT router 
is a better solution than an iptables configuration utility.

The bottom line, IMO, is that a "firewall" is only a set of rules. How useful 
it is can only be judged in light of the specific function of the computer 
it's protecting. 

Lee