On Wed, Jul 31, 2019 at 12:27 PM Scott Kitterman <deb...@kitterman.com> wrote: > > Please don't install one by default. I suspect it will cause more trouble > for end users than it's worth. Making sure our default install is severely > limited in what ports it listens to is likely more broadly useful and less > risky. >
I agree, we should mitigate risks by keeping open ports as restricted as possible by default. But it could be useful for higher level tasksel tasks or meta packages to pull in a firewall configuration utility (for instance, firewalld) for certain use cases, i.e. it could be useful for a "standard" server installation with graphic desktop, for which we could expect most users choosing this method would like to have advanced firewalling as an enterprise feature to have out-of-box. Cheers, Aron P.S. I know there is no such a thing called "standard" installation in Debian, but only referring the name for the sense of RHEL's default installation entries.