Brian wrote: > Sthu Deus wrote: > > My pondering/suggestions here: > > > > 1. You agree that it is a good thing to be firewalled for the being > > installed system - so in case there is no firewall already for it, then > > it would be still good to have one in the install environment. Not the way you state it. I said that having a firewall *separate* from the machine you are installing upon adds an extra layer of security and is a good idea. It isn't required. It is typical of a lot of people today that they already operate behind one. Having one on the machine you are installing would not give you the same protection. > No firewall is necessary during an install from a netinst iso. There is > nothing listening for a connection. No listeners - no connections. Agreed. > And unless Debian provides a kernel which falls over at the mere > sniff of a ping there is no problem there either. I think it unlikely that the kernel used in the installer would have an exploitable vulnerability. Very unlikely. I am not worried about it. But in that strict academic legal setting of if there was a ping-of-death attack, such as has happened before, then having an external firewall is safer since it would protect even against that type of vulnerability. That previous attack wasn't "which falls over at the mere sniff of a ping" since it took a specifically crafted attack package. And the current kernels haven't been vulnerable to that old known attack for a long time. Still it's better with an external firewall since it would block the attack even if the kernel still had that problem. That doesn't say that it is bad without. It's not. But it only helps if the firewall is external. If it is internal to the local machine then it doesn't provide that extra layer of protection against a kernel bug. Since the kernel needs to supply both a bug and protection from it at the same time it is likely that the bug would win in that case. An internal firewall can't count as an extra layer of protection. Any firewall provided by the installer kernel at install time I think would be quite suspect as to useful effectiveness. > > 2. When the the system has its first reboot, and since then, it would > > be a good thing to have a all net incoming requests for service to be > > blocked by default They are blocked by default. Or rather by default nothing is there to listen to them. Don't believe me? Install a pristine system and then check. There isn't anything to attack here. But when I explicitly install a program that works on the network then *I* have installed it. I obviously want it running. There would be no reason to have installed it if I didn't want it installed. If I didn't want that then I wouldn't have installed it. Requiring packages to be installed and to be enabled as a separate step simply make installing them more difficult instead of more secure. For anyone who thinks a firewall provides complete protection I refer you to the only completely secure firewall solution that I know: http://www.ranum.com/security/computer_security/papers/a1-firewall/ > > for: a) there are now services listening (at least > > Debian likes to install exim, for example, but not limited to), b) > > novice users may have no idea on firewall configuration or linux usage > > at all, and therefore, making such important - I would say - default > > settings just would add more security features to the already secure > > name of Debian. > > There is very little need for a firewall on a single machine connected > to the internet at the best of times I think a firewall has value. It is a large umbrella that covers everything at a different layer of security. But there isn't anything magical about it. > but a default install has nothing listening for external > connections, so blocking by default doesn't achieve anything. It's > secure to begin with - a firewall doesn't make it more secure. I think we are in agreement that when nothing is listening then nothing is listening and there is no need for a firewall then. And if you install something such as sshd server which must listen to be useful then of course it is listening on that port and again no firewall is useful in that context. Bob
Attachment:
signature.asc
Description: Digital signature