Randall Rose wrote on 2026-01-16 14:07:
From my perspective, if a distro is used by naive users and it
sometimes installs things out-of-the-box that may have security
vulnerabilities which a firewall could help with
I see a flaw in this logic: if an install includes, say, Apache, and
there's a potential security vulnerability in Apache, a firewall won't help.
If the firewall blocks traffic to Apache, it's breaking functionality.
If Apache has a vulnerability, what can a firewall do to block the
vulnerability?
then its installer
should offer a checkbox for installing a firewall with reasonable
settings that's already up and running on first boot.
Probably because an active firewall by default would block things the
admin requires.
A *lot* of installs of Debian would be on servers, where the admin
*needs* ssh access. Which a firewall rule might well block.
A default firewall could (would) generate a lot of support questions /
user problems. A sophisticated user can implement a firewall at their
convenience. A naive user won't install one and won't need one since
they're unlikely to be running listening services.
If you trust the Debian maintainers enough to install their OS, you
should trust their decision on this.
I run a bunch of Ubuntu servers on VPSs that are wide open to the
internet. Not a firewall on any of them. Not a problem yet.
(Well, I do block a lot of IPs with iptables due to excessive attempts
on email servers, but that's not really a firewall.)
_______________________________________________
Discuss mailing list
[email protected]
https://lists.blu.org/mailman/listinfo/discuss
