On 2013-02-19 12:13, Colin Guthrie wrote:
'Twas brillig, and Robert Fox at 19/02/13 11:45 did gyre and gimble:
On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote:
Le 19/02/2013 12:20, [email protected] a écrit :
If that's how you feel about having a program like DenyHosts
running by
default, do you feel the same way about having a firewall running
and
configured out of the box.
Is a firewall a sysadmin's or packager's choice?
A sysadmin choice. Pushing always more stuff 'by default' doesn't
help
users to make educated choices.
On one hand I agree, on the other hand - we want a distribution
which
simply works and common choices are made (like which firewall) from
the
distro side - a good enough Sysadmin can then change to his/her
liking
afterwards. This is more or less a distro "philosophy" question,
but
look why "Mint" has become so popular - because many choices are
made
upfront for the user - yet the flexibility is in the system (and
enough
packages) for an advanced user to change them!
As long as the default settings are documented upfront - I see no
issue
in making such a decision on behalf of the "average" user - and
making a
more security robust distribution.
Yup, I agree with this.
I'm know my way around sufficiently that I can happily change the
stuff
I don't like.
I think we do have to pick reasonably sensible defaults. Ultimately
that's what msec does too - defines sensible defaults for the
security
level picked.
So overall I'd welcome a default setup that allows things to be more
secure/robust by default (obviously balanced against user experience
-
e.g. a *very* secure setup would be to ban all traffic in or out...
but
that's not a nice user experience :D).
If you are referring to a firewall, banning "all traffic in or out"
does not make sense. I'm sure we are all familiar with concept of
Stateful Inspection.
--
finid
