Re: Why does Debian allow all incoming traffic by default

To: debian-user@lists.debian.org
Subject: Re: Why does Debian allow all incoming traffic by default
From: Joe <joe@jretrading.com>
Date: Wed, 26 Sep 2018 16:07:33 +0100
Message-id: <[🔎] 20180926160733.505ef37f@jresid.jretrading.com>
In-reply-to: <[🔎] 20180926133941.GB17321@chew.redmars.org>
References: <[🔎] da96e6a3-ac34-8d4f-7784-4776e95aee5f@gmail.com> <[🔎] 20180921170935.uidjpny7beevmb6m@randomstring.org> <[🔎] 6239a3ad-7e04-f30c-10cc-3d8fcc52ece6@plouf.fr.eu.org> <[🔎] 201809220512.38348.gheskett@shentel.net> <[🔎] 20180924185239.GE4020@chew.redmars.org> <[🔎] 20180924202155.6cc7afb7@jresid.jretrading.com> <[🔎] 20180926133941.GB17321@chew.redmars.org>

On Wed, 26 Sep 2018 14:39:41 +0100
Jonathan Dowland <jmtd@debian.org> wrote:

> On Mon, Sep 24, 2018 at 08:21:55PM +0100, Joe wrote:
> >And there you have the problem: it would be necessary for the
> >installation of certain packages (e.g. MTA) to automatically poke
> >holes in the firewall.  
> 
> We agree this far.
> 
> > For this to be practical, a completely standardised
> >iptables architecture would be necessary, with limited user
> >customisation. That's how Windows does it.  
> 
> This is where we disagree. What would be needed would be a standard
> interface for a package to say "open this port", that was implemented
> by the iptables (say) package by default, but, if you were writing a
> very DIY ruleset, you could override the iptables-package's
> implementation and provide one yourself (or ignore the package hooks
> if you wished).
> 
You're only moving the problem around. Some completely standard piece of
code *somewhere* has to know what is the right place to insert such a
rule. I'll give you an example: neither the beginning nor the end of my
INPUT chain is the right place, because I do some catch-all stuff about
RELATED and INVALID at the beginning of the chain, and some assorted
logging at the end. I don't want anything placed before or after those
parts. In fact, the right place for my server firewall isn't in the
INPUT chain at all, but in one of a few custom chains.

There could be a standard custom chain in which such rules were
inserted so that they all arrived at a place to suit the user, but my
point is that enough such hooks must be defined and honoured to cover
all reasonable use cases. This is a significant project, one which
involves all IP-aware packages, and I don't think there is *yet*
sufficient need to justify the resources to do it right.

-- 
Joe

Reply to:

Follow-Ups:
- Re: Why does Debian allow all incoming traffic by default
  - From: Jonathan Dowland <jmtd@debian.org>

References:
- Why does Debian allow all incoming traffic by default
  - From: Subhadip Ghosh <subhadip.sky@gmail.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: Dan Ritter <dsr@randomstring.org>
- Re: Why does Debian allow all incoming traffic by default
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Why does Debian allow all incoming traffic by default
  - From: Gene Heskett <gheskett@shentel.net>
- Re: Why does Debian allow all incoming traffic by default
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Why does Debian allow all incoming traffic by default
  - From: Joe <joe@jretrading.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: Jonathan Dowland <jmtd@debian.org>

Prev by Date: Re: Which is the best open source ecommerce platform?
Next by Date: Forgotten MATE tools
Previous by thread: Re: Why does Debian allow all incoming traffic by default
Next by thread: Re: Why does Debian allow all incoming traffic by default
Index(es):
- Date
- Thread