Re: Debian secure by default?
On Fri, May 16, 2008 at 08:20:07PM -0700, Mike Bird wrote:
> In a standard Debian workstation with no services listening you really
> don't need a firewall today. This may change if Linux in the future
There's also the case for opening a port but wanting to limit which
systems are trusted to connect to it. Just because they're on your LAN
doesn't mean you want everyone connecting to your wifi router to access
your print server. And hey, maybe you want some finer-grained control
over who can access your sshd (especially considering the recent
weak-key vulnerabilities) than you can get with just sshd_config and
/etc/hosts.{deny,allow} in the mix.
And yes, before someone chimes in and talks about how you can use
tcpwrappers, .htaccess files, or other application-specific controls to
manage access, there's something to be said for a defense-in-depth
approach. So, host-based firewalls are *not* useless, but they may also
not be necessary for a given configuration.
This is very much an "it depends" sort of thing. I agree with the poster
who said that a box with no listening sockets doesn't need an inbound
firewall filter, but just because a function is redundant doesn't mean
it is useless. :)
In practice, though, unless firewall (re)configuration support is added
to every single network-aware package, I don't think shipping a default
firewall is a good idea. It would cause more problems than it would
solve ("Why won't package X work after installation?") and create a huge
amount of added complexity to package installs. This sort of subsystem
could certainly be added to dpkg/debconf with enough dedicated labor,
but I'm not sure it's really needed.
What I really want to know is why the original poster can't just
"aptitude install firestarter" or similar, and scratch his own itch?
That seems simple and painless enough to me, without needing more exotic
solutions.
--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"
Reply to: