Re: Why does Debian allow all incoming traffic by default
The basic reason is this: it makes sense.
Let's suppose Debian installs a basic firewall by default. How
basic? Let's say:
- outbound: permit
- forward: deny
- inbound: accept NTP, DHCP, DNS, and any TCP packet which is a
response to an outbound packet
Now, what should happen when a user installs an SSH daemon?
Should it automatically change the firewall? Of course,
otherwise everyone who installs SSH would discover that it
How many packages now have to have scripts written to update the
What happens when a user installs a multi-protocol daemon like
Dovecot? Does it automatically open POP, POP/S, IMAP and IMAP/S?
All of them? None of them?
There are an infinite number of questions to be asked, all of
which can be summarized as "please read the user's mind and find
out what they want". This is particularly difficult when the
user doesn't know what they want.
Remember, Debian isn't a laptop OS. Debian isn't a desktop OS.
Debian isn't a phone OS. Debian isn't a server OS. Debian isn't
a supercomputing OS. Debian isn't an embedded device OS.
Debian is a Universal OS.
I wouldn't say whatever you said, doesn't make sense. I wish there were
an easier way to know about it when I started using the OS, something to
warn me that I need to configure the firewall to suit my needs. Maybe
because I came from a different OS where the defaults were stricter, my
expectations about the defaults were different.