Re: default firewall utility changes for Debian 11 bullseye
On 2019-12-19 12:29:59, Roberto C. Sánchez wrote: > Hi Arturo! > > I know that this discussion took place some months ago, but I am just > now getting around to catching up on some old threads :-) Same here :) > On Tue, Jul 30, 2019 at 01:52:30PM +0200, Arturo Borrero Gonzalez wrote: > > > 2) introduce firewalld as the default firewalling wrapper in Debian, at > > > least in > > > desktop related tasksel tasks. > > > > > > > There are some mixed feelings about this. However I couldn't find any strong > > opinion against either. > > > > What I would do regarding this is (just a suggestion): > > * raise priority of firewalld > > * document in-wiki what defaults are, and how to move away from them > > * include some documentation bits in other firewalling wrappers on how to > > deal > > with this default, i.e what needs to be changed in the system for ufw to > > work > > without interferences (disable firewalld?) > > > I like the idea of documenting this all in a wiki. Yes, please. I was also bit by nftables migration when moving to buster for some of my home-grown firewal scripts (running just fine for 10+ years, but now - looking forward to migrate to nft), so having this documented would be very welcome, to see what alternatives are there. iustin
Re: default firewall utility changes for Debian 11 bullseye
Hi Wookey,
Am Mittwoch, 31. Juli 2019 schrieb Wookey:
> On 2019-07-16 11:57 +0200, Raphael Hertzog wrote:
> >
> > What would/should Debian recommend to configure the firewall on the server
> > case ?
> >
> > I was recommending creating firewall rules with fwbuilder up to now (see
> > https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html)
> >
> > The other desktop firewall that I know is "ufw"
>
> What is the modern equivalent of 'ipmasq'? I still miss this tool on a
> regular basis and loved what it did. I have not found a replacement
> and forever end up looking up runes on the net and doing it by hand
> with iptables. ('it' being setting up my machine to listen on
> one interface (e.g. to a dev board) and forward everything to/from the
> real internet (wifi or ethernet). ipmasq did agreat job of hiding the
> previous transition from ipchains to iptables. I've never heard of
> nftables which is apparently the new thing. Nor firewalld - perhaps it
> would do what I want?
>
> For those too young to know, ipmasq basically does(did - removed in
> 2009!) what the script on this page does for you:
> https://debian-administration.org/article/23/Setting_up_a_simple_Debian_gateway
I use uif for the use case of yours.
Mike
--
Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Re: default firewall utility changes for Debian 11 bullseye
Hi, Am Mittwoch, 31. Juli 2019 schrieb Scott Kitterman: > > > On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez > wrote: > >Ok, after a couple of weeks, lets try to summarize: > > > >On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > >> > >> This email contains 2 changes/proposals for Debian 11 bullseye: > >> > >> 1) switch priority values for iptables/nftables, i.e, make nftables > >Priority: > >> important and iptables Priority: optional > >> > > > >Nobody seems to disagree with this point. So I will be doing this soon. > > > >> 2) introduce firewalld as the default firewalling wrapper in Debian, > >at least in > >> desktop related tasksel tasks. > >> > > > >There are some mixed feelings about this. However I couldn't find any > >strong > >opinion against either. > > > >What I would do regarding this is (just a suggestion): > >* raise priority of firewalld > >* document in-wiki what defaults are, and how to move away from them > >* include some documentation bits in other firewalling wrappers on how > >to deal > >with this default, i.e what needs to be changed in the system for ufw > >to work > >without interferences (disable firewalld?) > > > >I don't maintain/control firewalld/ufw so I can't do these changes > >myself and > >will leave to Cyril/Michael/Jaime handle the situation for new bullseye > >install > >as they see fit. > > Please don't install one by default. I suspect it will cause more trouble > for end users than it's worth. Making sure our default install is severely > limited in what ports it listens to is likely more broadly useful and less > risky. > Also chiming in on the no-firewall-by-default tune... Mike -- Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Re: default firewall utility changes for Debian 11 bullseye
On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > For the next release cycle I propose we move this default event further. > As of this email, iptables [0] is Priority: important and nftables [1] is > Priority: optional in both buster and bullseye. The important value means the > package gets installed by default in every Debian install. > > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. Gosh, no... The industry agrees to use whatever is convenient for the application it is maintaining. Let me give an example. In OpenStack, Neutron does the networking. It is supposed to handle *all* of what goes in iptables, via neutron-openvswitch-agent. At no point, I have read anyone proposing to switch away from using iptables directly, and using firewalld instead. Please do not try to imagine what people do with iptables. You'd be wrong in many cases. BTW, when using Neutron with Buster, I was very surprised that *in some cases*, it completely breaks if we don't have iptables-legacy as the installed alternatives. It took me a long time to figure out that the iptables-nft implementation, if looking similar, isn't producing the same output, and therefore, breaking Neutron is some corner cases. Hopefully, upstream will work on that, but this was a very bad surprise that I had to address when running in production (as it *looks like* working at first, but in fact doesn't in the long run). > There are plenty of system services that integrate with firewalld anyway [3]. > By the way, firewalld is using (or should be using) nftables by default at > this > point. I have no experience running firewalld myself, but my only message is: please don't break other people's computer. Hopefully, having firewalld by default will not (but you never know, when these ...d services rush into Debian too fast...). > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. I don't mind for desktop cases much, I know how to fix things. I'm more scared if this breaks newbies, and server side. For servers, maybe don't install stuff by default, and let the admin decide? Hopefully, both will be taken care of, right? Cheers, Thomas Goirand (zigo)
Re: default firewall utility changes for Debian 11 bullseye
On 7/31/19 7:56 AM, Aron Xu wrote: > be useful for a "standard" server installation with graphic desktop, If we really start to provide that, we should better rename the project to SAPian or SUSian or something like that... -- Bernd ZeimetzDebian GNU/Linux Developer http://bzed.dehttp://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Re: default firewall utility changes for Debian 11 bullseye
Hi Arturo! I know that this discussion took place some months ago, but I am just now getting around to catching up on some old threads :-) On Tue, Jul 30, 2019 at 01:52:30PM +0200, Arturo Borrero Gonzalez wrote: > Ok, after a couple of weeks, lets try to summarize: > > On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > > > > This email contains 2 changes/proposals for Debian 11 bullseye: > > > > 1) switch priority values for iptables/nftables, i.e, make nftables > > Priority: > > important and iptables Priority: optional > > > > Nobody seems to disagree with this point. So I will be doing this soon. > It looks like the situation in sid has not changed yet: (sid)root@build01:/tmp# apt-cache show iptables nftables | egrep 'Package|Version|Priority|^$'Package: iptables Version: 1.8.4-1 Priority: important Package: nftables Version: 0.9.3-1 Priority: optional Do you still intend to make the change in priorities? > > 2) introduce firewalld as the default firewalling wrapper in Debian, at > > least in > > desktop related tasksel tasks. > > > > There are some mixed feelings about this. However I couldn't find any strong > opinion against either. > > What I would do regarding this is (just a suggestion): > * raise priority of firewalld > * document in-wiki what defaults are, and how to move away from them > * include some documentation bits in other firewalling wrappers on how to deal > with this default, i.e what needs to be changed in the system for ufw to work > without interferences (disable firewalld?) > I like the idea of documenting this all in a wiki. [Side note: I maintain Shorewall in Debian and since the upstream author announced his retirement eariler this year several of the most active developers/community members (including me) have begun the process of taking over the project from him. One of the items we have discussed support for nftables, so I can see that changing in the coming year, making a wiki page a good choice for where to document Shorewall integration with various Debian parts.] Incidentally, the Debian Installation Guide makes no mention of firewalls or even basic steps to secure the system. If a wiki page is developed that documents the various firewall integration options, it would be nice if it became the basis of a new section in the installation manual (perhaps under section 8, Next Steps and Where to Go >From Here). It may also be a good addition/improvement to the Securing Debian Manual. In any event, I am just offering some thoughts; perhaps they might be of some use. Regards, -Roberto -- Roberto C. Sánchez
Re: default firewall utility changes for Debian 11 bullseye
On August 1, 2019 10:42:37 AM UTC, Arturo Borrero Gonzalez wrote: >On 7/31/19 7:20 AM, Adam Borowski wrote: >> A port blocker just sabotages user's requests, requiring every >configuration >> action to be done twice. >> > >Perhaps you are mixing shipping a software by default vs having a >default >blocking firewall ruleset in the system. Moreover, you are assuming a >default >firewall would block what? outgoing connections? incoming connections? > >The argument sounds very weak anyway. > >> An user who actually has a complex host setup needs basic skills to >do so, >> and those skills are more involved than installing a package would >be. > >I think facilitating complex setups to under-skilled users is actually >the key >to be successful as an operating system. I read that as saying two opposite things: We can install something potentially useful, but not configure it to do anything to avoid problems (which is discouraged by policy). We should make things easier for users who are less technical. I don't think you can do both. Personally I don't think we should include additional daemons that do nothing. Personally I don't want to have to remember to remove it. Scott K
Re: default firewall utility changes for Debian 11 bullseye
On 7/31/19 7:20 AM, Adam Borowski wrote: > A port blocker just sabotages user's requests, requiring every configuration > action to be done twice. > Perhaps you are mixing shipping a software by default vs having a default blocking firewall ruleset in the system. Moreover, you are assuming a default firewall would block what? outgoing connections? incoming connections? The argument sounds very weak anyway. > An user who actually has a complex host setup needs basic skills to do so, > and those skills are more involved than installing a package would be. I think facilitating complex setups to under-skilled users is actually the key to be successful as an operating system.
Re: default firewall utility changes for Debian 11 bullseye
On Aug 01, Aron Xu wrote: > If there is no pre-installed firewall application in a standard/full > installation (which does not exist for us theoretically), Debian could > be easily marked as missing feature in some enterprise IT evalutation, [citation needed] Even if this were true I do no think that this is a compelling argument for Debian. -- ciao, Marco signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
[dropping individuals as recipients]
Quoting Sunil Mohan Adapa (2019-07-31 17:46:44)
> On 31/07/19 7:46 am, Wookey wrote:
> [...]
> >
> > What is the modern equivalent of 'ipmasq'? I still miss this tool on
> > a regular basis and loved what it did. I have not found a
> > replacement and forever end up looking up runes on the net and doing
> > it by hand with iptables. ('it' being setting up my machine to
> > listen on one interface (e.g. to a dev board) and forward everything
> > to/from the real internet (wifi or ethernet). ipmasq did agreat job
> > of hiding the previous transition from ipchains to iptables. I've
> > never heard of nftables which is apparently the new thing. Nor
> > firewalld - perhaps it would do what I want?
> >
> > For those too young to know, ipmasq basically does(did - removed in
> > 2009!) what the script on this page does for you:
> > https://debian-administration.org/article/23/Setting_up_a_simple_Debian_gateway
>
> I believe this is done in firewalld by assigning the outgoing network
> interface to 'external' zone and other network interfaces to
> 'internal' zone.
>
> Alternatively, setting 'masquerade=yes' property on the zone that is
> assigned outgoing network interfaces should achieve the same result.
Alternatively, using systemd-networkd (i.e. not needing firewalld or
network-manager or ifupdown) you can set IPMasquerade=yes for
/etc/systemd/network/*.network profiles (see "man systemd.network") of
each device that should be masqueraded (that is, the _opposite_
interfaces than the ones you would flag in firewalld).
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, Jul 31, 2019 at 11:10 PM Marco d'Itri wrote: > > On Jul 31, Aron Xu wrote: > > > utility (for instance, firewalld) for certain use cases, i.e. it could > > be useful for a "standard" server installation with graphic desktop, > > for which we could expect most users choosing this method would like > > to have advanced firewalling as an enterprise feature to have > > out-of-box. > Can you explain better which problems this would solve? > If there is no pre-installed firewall application in a standard/full installation (which does not exist for us theoretically), Debian could be easily marked as missing feature in some enterprise IT evalutation, even having them installed on disk without defining any rules would help out most of the cases. I understand this sounds very awkward because users can always install one if they really need or want it, but it's quite offen that fixed rules (which are usually seen awkward) would apply in companies no matter of its size and IT management level. Regards, Aron
Re: default firewall utility changes for Debian 11 bullseye
On 16/07/19 2:07 am, Arturo Borrero Gonzalez wrote: [...] > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. > firewalld is a reasonable choice. We setup and manage firewalld automatically in FreedomBox. - firewalld has simple ways for adding exceptions to ports and services. Many service definitions explain to the user what the ports in the service are useful for. Packages can bring in their own service definitions. - firewalld works alright in many scenarios for servers with multiple network interfaces because of zones. - Network Manager has a 'Zone' property that directly corresponds to firewalld zone. When Network Manager brings up an interface, it is assigned to the configured firewalld zone. - firewalld has a DBus interface that allows querying the current status of the firewall simpler than parsing command line output. - firewalld is a live daemon that adds and removes rules as we interact with it via command line or DBus interface and does not need 'restarting' like some firewall wrappers. Restarting would flush all firewalls and add them back again. At least for some of the firewall scripts, this operation is not atomic. - It supports dealing with custom rules using 'direct' rules. -- Sunil
Re: default firewall utility changes for Debian 11 bullseye
On 31/07/19 7:46 am, Wookey wrote:
[...]
>
> What is the modern equivalent of 'ipmasq'? I still miss this tool on a
> regular basis and loved what it did. I have not found a replacement
> and forever end up looking up runes on the net and doing it by hand
> with iptables. ('it' being setting up my machine to listen on
> one interface (e.g. to a dev board) and forward everything to/from the
> real internet (wifi or ethernet). ipmasq did agreat job of hiding the
> previous transition from ipchains to iptables. I've never heard of
> nftables which is apparently the new thing. Nor firewalld - perhaps it
> would do what I want?
>
> For those too young to know, ipmasq basically does(did - removed in
> 2009!) what the script on this page does for you:
> https://debian-administration.org/article/23/Setting_up_a_simple_Debian_gateway
I believe this is done in firewalld by assigning the outgoing network
interface to 'external' zone and other network interfaces to 'internal'
zone.
Alternatively, setting 'masquerade=yes' property on the zone that is
assigned outgoing network interfaces should achieve the same result.
--
Sunil
signature.asc
Description: OpenPGP digital signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 31 Jul 2019 at 15:46:39 +0100, Wookey wrote:
> What is the modern equivalent of 'ipmasq'? I still miss this tool on a
> regular basis and loved what it did. I have not found a replacement
> and forever end up looking up runes on the net and doing it by hand
> with iptables. ('it' being setting up my machine to listen on
> one interface (e.g. to a dev board) and forward everything to/from the
> real internet (wifi or ethernet).
Perhaps not the answer you were looking for or expecting, but:
NetworkManager?
Configure your uplink connection, e.g. wifi, as you usually would, then
configure the interface that points to your dev board with method=shared
in the [ipv4] section. In nm-connection-editor that's spelled "Shared
with other computers"; other GUIs may vary (and simpler UIs for
NetworkManager, like the one in GNOME Shell, don't necessarily offer that
option). See nm-settings(5) for details.
Or if you prefer fewer GUIs, systemd.network(5) networks can be configured
with IPMasquerade=yes and IPForward=ipv4, which enables routing according
to the routing table (and is documented as not implying any firewalling,
so add a firewall if the policy you want is not "any interface relays
to any other interface").
> Nor firewalld - perhaps it would do what I want?
firewalld is really for firewalling, and not for the various other things
that share the netfilter kernel interface.
smcv
Re: default firewall utility changes for Debian 11 bullseye
On Jul 31, Aron Xu wrote: > utility (for instance, firewalld) for certain use cases, i.e. it could > be useful for a "standard" server installation with graphic desktop, > for which we could expect most users choosing this method would like > to have advanced firewalling as an enterprise feature to have > out-of-box. Can you explain better which problems this would solve? -- ciao, Marco signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Jul 31, Scott Kitterman wrote: > Please don't install one by default. I suspect it will cause more > trouble for end users than it's worth. Making sure our default > install is severely limited in what ports it listens to is likely more > broadly useful and less risky. Agreed. Default-deny host-based firewalls are mostly useful for Windows systems. -- ciao, Marco signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On 2019-07-16 11:57 +0200, Raphael Hertzog wrote:
>
> What would/should Debian recommend to configure the firewall on the server
> case ?
>
> I was recommending creating firewall rules with fwbuilder up to now (see
> https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html)
>
> The other desktop firewall that I know is "ufw"
What is the modern equivalent of 'ipmasq'? I still miss this tool on a
regular basis and loved what it did. I have not found a replacement
and forever end up looking up runes on the net and doing it by hand
with iptables. ('it' being setting up my machine to listen on
one interface (e.g. to a dev board) and forward everything to/from the
real internet (wifi or ethernet). ipmasq did agreat job of hiding the
previous transition from ipchains to iptables. I've never heard of
nftables which is apparently the new thing. Nor firewalld - perhaps it
would do what I want?
For those too young to know, ipmasq basically does(did - removed in
2009!) what the script on this page does for you:
https://debian-administration.org/article/23/Setting_up_a_simple_Debian_gateway
Wookey
--
Principal hats: Linaro, Debian, Wookware, ARM
http://wookware.org/
signature.asc
Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 31 Jul 2019, Adam Borowski wrote: A network firewall is useful. But why would someone want a _host_ firewall for on any sane operating system? If a daemon is not supposed to listen on Are libvirt and network-manager using firewalld to setup network sharing and virtual networks? Or do the still invoke iptables directly?
Re: default firewall utility changes for Debian 11 bullseye
On Wed, Jul 31, 2019 at 12:27 PM Scott Kitterman wrote: > > Please don't install one by default. I suspect it will cause more trouble > for end users than it's worth. Making sure our default install is severely > limited in what ports it listens to is likely more broadly useful and less > risky. > I agree, we should mitigate risks by keeping open ports as restricted as possible by default. But it could be useful for higher level tasksel tasks or meta packages to pull in a firewall configuration utility (for instance, firewalld) for certain use cases, i.e. it could be useful for a "standard" server installation with graphic desktop, for which we could expect most users choosing this method would like to have advanced firewalling as an enterprise feature to have out-of-box. Cheers, Aron P.S. I know there is no such a thing called "standard" installation in Debian, but only referring the name for the sense of RHEL's default installation entries.
Re: default firewall utility changes for Debian 11 bullseye
On Wed, Jul 31, 2019 at 04:27:24AM +, Scott Kitterman wrote: > On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez > wrote: > >On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > >> 2) introduce firewalld as the default firewalling wrapper in Debian, > >> at least in desktop related tasksel tasks. > > > >There are some mixed feelings about this. However I couldn't find any > >strong opinion against either. > > > >What I would do regarding this is (just a suggestion): > >* raise priority of firewalld > >* document in-wiki what defaults are, and how to move away from them > >* include some documentation bits in other firewalling wrappers on how to > >deal with this default, i.e what needs to be changed in the system for > >ufw to work without interferences (disable firewalld?) > > > >I don't maintain/control firewalld/ufw so I can't do these changes myself > >and will leave to Cyril/Michael/Jaime handle the situation for new > >bullseye install as they see fit. > > Please don't install one by default. I suspect it will cause more trouble > for end users than it's worth. Making sure our default install is > severely limited in what ports it listens to is likely more broadly useful > and less risky. +1000. A network firewall is useful. But why would someone want a _host_ firewall for on any sane operating system? If a daemon is not supposed to listen on the network, don't install it or configure it that way. If a process is supposed to be contained and unable to use the network, contain it. A port blocker just sabotages user's requests, requiring every configuration action to be done twice. An user who actually has a complex host setup needs basic skills to do so, and those skills are more involved than installing a package would be. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian is one big family. Including that weird uncle ⢿⡄⠘⠷⠚⠋⠀ and ultra-religious in-laws. ⠈⠳⣄
Re: default firewall utility changes for Debian 11 bullseye
On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez wrote: >Ok, after a couple of weeks, lets try to summarize: > >On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: >> >> This email contains 2 changes/proposals for Debian 11 bullseye: >> >> 1) switch priority values for iptables/nftables, i.e, make nftables >Priority: >> important and iptables Priority: optional >> > >Nobody seems to disagree with this point. So I will be doing this soon. > >> 2) introduce firewalld as the default firewalling wrapper in Debian, >at least in >> desktop related tasksel tasks. >> > >There are some mixed feelings about this. However I couldn't find any >strong >opinion against either. > >What I would do regarding this is (just a suggestion): >* raise priority of firewalld >* document in-wiki what defaults are, and how to move away from them >* include some documentation bits in other firewalling wrappers on how >to deal >with this default, i.e what needs to be changed in the system for ufw >to work >without interferences (disable firewalld?) > >I don't maintain/control firewalld/ufw so I can't do these changes >myself and >will leave to Cyril/Michael/Jaime handle the situation for new bullseye >install >as they see fit. Please don't install one by default. I suspect it will cause more trouble for end users than it's worth. Making sure our default install is severely limited in what ports it listens to is likely more broadly useful and less risky. Scott K
Re: default firewall utility changes for Debian 11 bullseye
On Di, Jul 30, 2019 at 01:52:30 +0200, Arturo Borrero Gonzalez wrote: Ok, after a couple of weeks, lets try to summarize: 1) switch priority values for iptables/nftables, i.e, make nftables Priority: important and iptables Priority: optional Nobody seems to disagree with this point. So I will be doing this soon. I’ve migrated my iptables scripts to nft. In the end it was easier than expected, and everything is running fine. What I’m missing: There was an iptables addon for using geoip databases. This is missing. I found https://aur.archlinux.org/packages/nftables-geoip-db/ It is not part of Debian, but I managed to use it. Shade and sweet water! Stephan -- | Stephan Seitz E-Mail: s...@fsing.rootsland.net | | If your life was a horse, you'd have to shoot it. |
Re: default firewall utility changes for Debian 11 bullseye
Ok, after a couple of weeks, lets try to summarize: On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > > This email contains 2 changes/proposals for Debian 11 bullseye: > > 1) switch priority values for iptables/nftables, i.e, make nftables Priority: > important and iptables Priority: optional > Nobody seems to disagree with this point. So I will be doing this soon. > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. > There are some mixed feelings about this. However I couldn't find any strong opinion against either. What I would do regarding this is (just a suggestion): * raise priority of firewalld * document in-wiki what defaults are, and how to move away from them * include some documentation bits in other firewalling wrappers on how to deal with this default, i.e what needs to be changed in the system for ufw to work without interferences (disable firewalld?) I don't maintain/control firewalld/ufw so I can't do these changes myself and will leave to Cyril/Michael/Jaime handle the situation for new bullseye install as they see fit.
Re: default firewall utility changes for Debian 11 bullseye
Hi Chris Am 18.07.19 um 04:07 schrieb Chris Lamb: > It also has a first-class Ansible module which (given a flood of > firewall options around when I needed to pick something in haste > around the time of the stretch release…) was actually the deciding > factor for me: > > https://docs.ansible.com/ansible/latest/modules/ufw_module.html Just curious, if you've seen/evaluated https://docs.ansible.com/ansible/latest/modules/firewalld_module.html If there is something you found lacking, I'm happy to pass that info along to upstream. I'm not using ansible myself, so additional feedback would be welcome. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Chris Lamb wrote: > Jamie Strandboge wrote: > > > Again, I'm biased, but ufw supports IPv6. It's also been on the default > > server > > and desktop install of Ubuntu for 9+ years. ufw functions well for bastion > > hosts, less so for routers (though it has some facility there). > > It also has a first-class Ansible module which (given a flood of > firewall options around when I needed to pick something in haste > around the time of the stretch release…) was actually the deciding > factor for me: > > https://docs.ansible.com/ansible/latest/modules/ufw_module.html Oh, nice! I should probably collect the various projects that integrate with ufw and list them somewhere... (I've added that to my todo). Related, I have some improvements for fail2ban I've been meaning to upstream as well that make it work a lot better, esp wrt IPv6. On that note and to anyone participating in this thread or just coming across it some time in the future, if there are things that would make ufw better in Debian (particularly wrt bastion use cases), I'm happy to make improvements regardless of if it is a candidate as the default or not (please file bugs :). -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
Jamie Strandboge wrote: > Again, I'm biased, but ufw supports IPv6. It's also been on the default server > and desktop install of Ubuntu for 9+ years. ufw functions well for bastion > hosts, less so for routers (though it has some facility there). It also has a first-class Ansible module which (given a flood of firewall options around when I needed to pick something in haste around the time of the stretch release…) was actually the deciding factor for me: https://docs.ansible.com/ansible/latest/modules/ufw_module.html Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Jamie Strandboge wrote: > On Tue, 16 Jul 2019, Raphael Hertzog wrote: > > > > 2) introduce firewalld as the default firewalling wrapper in Debian, at > > > least in > > > desktop related tasksel tasks. > > > > No objection. I think it's high time we have some default firewall > > installed in particular with IPv6 getting more widely deployed... > > > > The other desktop firewall that I know is "ufw" but it doesn't seem to > > have any momentum behind it. > > Again, I'm biased, but ufw supports IPv6. It's also been on the default server > and desktop install of Ubuntu for 9+ years. ufw functions well for bastion > hosts, less so for routers (though it has some facility there). Perhaps the > perceived 'lack of momentum' has to do with a lack of feature development, but > for the primary bastion host case, I haven't deemed this necessary. Oh, I forgot to mention. I've never actually considered ufw as a "desktop" firewall. I've considered it a decent "bastion" firewall with a CLI experience (desktop or server). The ufw projects lacks a GUI frontend which may be desirable for a "desktop" firewall (see my previous comment re firewalld and network-manager; there are various GUIs written for ufw, but not associated with the project). -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Chris Lamb wrote: > Raphael Hertzog wrote: > > > The other desktop firewall that I know is "ufw" but it doesn't seem to > > have any momentum behind it. > > It is curious you mention a lack of momentum; in my experience, it is > the most commonly recommended firewall on various support-adjacent > sites around the internet. (Perhaps due to it's Ubuntu/Canonical > associations and authorship.) > FYI, I'm not aware of any distributions other than Ubuntu where it is in the default install, but based on bug reports, I know it is in quite a few distributions. I've always been pleasantly surprised at how much it is used, and written about. :) -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
On Tue, 16 Jul 2019, Ben Hutchings wrote: > On Tue, 2019-07-16 at 11:57 +0200, Raphael Hertzog wrote: > [...] > > The other desktop firewall that I know is "ufw" but it doesn't seem to > > have any momentum behind it. > > Also, while its syntax is obviously intended to be simple, it's quite > irregular and the syntax error messages aren't very helpful. FYI, the simple syntax is meant to be, well, simple and the extended syntax is supposed to resemble OpenBSD's PF. That may not be everyone's cup of tea of course... :) As for syntax error messages, please file bugs in the BTS or upstream. I'd be happy to take a look. -- Email: ja...@strandboge.com IRC: jdstrand signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Stephan Seitz wrote: > On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote: > > On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote: > > > as you may know, Debian 10 buster includes the iptables-nft utility by > > > default, which is an iptables flavor that uses the nf_tables kernel > > > subsystem. Is intended to help people migrate from iptables to nftables. > > Yeah, this was a great way to migrate, thanks! > > What is the problem with using iptables-nft compared to the new nft syntax? > > According to the documentation nft seems quite more complex. > What would be the replacement for a simple single line like > iptables -I INPUT -j DROP -s -p tcp –dport 587 ? > > What about other packages like fail2ban? Does it „hurt” if different > programs are using iptables-nft or nft? > The thing you want to avoid is mixing nft with iptables-legacy. iptables-nft and nft should be fine. -- Email: ja...@strandboge.com IRC: jdstrand signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Tue, 16 Jul 2019, Raphael Hertzog wrote: > > 2) introduce firewalld as the default firewalling wrapper in Debian, at > > least in > > desktop related tasksel tasks. > > No objection. I think it's high time we have some default firewall > installed in particular with IPv6 getting more widely deployed... > > The other desktop firewall that I know is "ufw" but it doesn't seem to > have any momentum behind it. Again, I'm biased, but ufw supports IPv6. It's also been on the default server and desktop install of Ubuntu for 9+ years. ufw functions well for bastion hosts, less so for routers (though it has some facility there). Perhaps the perceived 'lack of momentum' has to do with a lack of feature development, but for the primary bastion host case, I haven't deemed this necessary. -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote: > Hi there, > > as you may know, Debian 10 buster includes the iptables-nft utility by > default, > which is an iptables flavor that uses the nf_tables kernel subsystem. > Is intended to help people migrate from iptables to nftables. > > For the next release cycle I propose we move this default event further. > As of this email, iptables [0] is Priority: important and nftables [1] is > Priority: optional in both buster and bullseye. The important value means the > package gets installed by default in every Debian install. As the upstream ufw developer, this makes since to me. > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. > There are plenty of system services that integrate with firewalld anyway [3]. > By the way, firewalld is using (or should be using) nftables by default at > this > point. > > This email contains 2 changes/proposals for Debian 11 bullseye: > > 1) switch priority values for iptables/nftables, i.e, make nftables Priority: > important and iptables Priority: optional Makes sense. > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. I'm obviously biased, but anecdotally I have had quite a few people say disparaging things about firewalld, particularly from server admins. I'm not really in a position for people to sing firewalld's praises to me, so take that for what it is worth. IIRC, network-manager has a fair frontend for firewalld that could be nice for desktop users if Debian wants that tight integration. That said, I can say that the ufw packaging makes it so it stays out of the way for people who want to use other firewall applications. I encourage Debian in whatever choice is made to make sure that the experience degrades gracefully if someone chooses something other than the default. -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
On Jul 17, Paul Wise wrote: > To me, something like opensnitch seems like a better option for a > desktop firewall once it becomes more mature and enters Debian. This project is a "personal firewall", which is a quite different thing from what is being discussed here. -- ciao, Marco signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, Jul 17, 2019 at 7:05 PM Helmut Grohne wrote: > If you want to make firewalld the desktop default To me, something like opensnitch seems like a better option for a desktop firewall once it becomes more mature and enters Debian. https://github.com/evilsocket/opensnitch/ https://bugs.debian.org/909567 -- bye, pabs https://wiki.debian.org/PaulWise
Re: default firewall utility changes for Debian 11 bullseye
Raphael Hertzog wrote: > The other desktop firewall that I know is "ufw" but it doesn't seem to > have any momentum behind it. It is curious you mention a lack of momentum; in my experience, it is the most commonly recommended firewall on various support-adjacent sites around the internet. (Perhaps due to it's Ubuntu/Canonical associations and authorship.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: default firewall utility changes for Debian 11 bullseye
On Mi, Jul 17, 2019 at 12:32:31 +0100, Thomas Pircher wrote: # iptables-translate -A INPUT -s 1.2.3.4 -p tcp --dport 587 -j DROP nft add rule ip filter INPUT ip saddr 1.2.3.4 tcp dport 587 counter drop Ah, thank you very much! Stephan -- | Public Keys: http://fsing.rootsland.net/~stse/keys.html | smime.p7s Description: S/MIME cryptographic signature
Re: default firewall utility changes for Debian 11 bullseye
Stephan Seitz wrote: > What would be the replacement for a simple single line like > iptables -I INPUT -j DROP -s -p tcp –dport 587 ? You can use the iptables-translate. It is not foolproof and does not always git the best results, but it can give you a good starting point for your optimisations: # iptables-translate -A INPUT -s 1.2.3.4 -p tcp --dport 587 -j DROP nft add rule ip filter INPUT ip saddr 1.2.3.4 tcp dport 587 counter drop Thomas
Re: default firewall utility changes for Debian 11 bullseye
Am 17.07.19 um 13:16 schrieb Michael Biebl: > Am 17.07.19 um 13:04 schrieb Helmut Grohne: >> On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote: >>> Also, I believe the days of using a low level tool for directly configuring >>> the >>> firewall may be gone, at least for desktop use cases. It seems the industry >>> more >>> or less agreed on using firewalld [2] as a wrapper for the system firewall. >>> There are plenty of system services that integrate with firewalld anyway >>> [3]. >>> By the way, firewalld is using (or should be using) nftables by default at >>> this >>> point. >> >> The current firewalld package in unstable depends on iptables, which >> means that it does use nftables under the hood unless one fiddles with >> alternatives. >> >> apt-file search /usr/bin/firewalld suggests that at present, two >> packages (freedombox and glusterfs-common) integrate with firewalld. For >> comparison, 17 packages integrate with ufw. >> > > That list appears to be incomplete. You should also search for > org.fedoraproject.FirewallD1, i.e. software using the D-Bus interface of > firewalld: > https://codesearch.debian.net/search?q=org.fedoraproject.FirewallD1 Also forgot to mention: I assume what you meant with "integrate with ufw" is packages shipping a service description in /etc/ufw/applications.d/, say samba: /etc/ufw/applications.d/samba firewalld ships a lot of such service descriptions itself. If you take the above example of samba: firewalld: /usr/lib/firewalld/services/samba-client.xml firewalld: /usr/lib/firewalld/services/samba-dc.xml firewalld: /usr/lib/firewalld/services/samba.xml $ apt-file list firewalld | grep /usr/lib/firewalld/services/ | wc -l 168 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: default firewall utility changes for Debian 11 bullseye
On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote: On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote: as you may know, Debian 10 buster includes the iptables-nft utility by default, which is an iptables flavor that uses the nf_tables kernel subsystem. Is intended to help people migrate from iptables to nftables. Yeah, this was a great way to migrate, thanks! What is the problem with using iptables-nft compared to the new nft syntax? According to the documentation nft seems quite more complex. What would be the replacement for a simple single line like iptables -I INPUT -j DROP -s -p tcp –dport 587 ? What about other packages like fail2ban? Does it „hurt” if different programs are using iptables-nft or nft? Shade and sweet water! Stephan -- | Public Keys: http://fsing.rootsland.net/~stse/keys.html | smime.p7s Description: S/MIME cryptographic signature
Re: default firewall utility changes for Debian 11 bullseye
Am 17.07.19 um 13:04 schrieb Helmut Grohne: > On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote: >> Also, I believe the days of using a low level tool for directly configuring >> the >> firewall may be gone, at least for desktop use cases. It seems the industry >> more >> or less agreed on using firewalld [2] as a wrapper for the system firewall. >> There are plenty of system services that integrate with firewalld anyway [3]. >> By the way, firewalld is using (or should be using) nftables by default at >> this >> point. > > The current firewalld package in unstable depends on iptables, which > means that it does use nftables under the hood unless one fiddles with > alternatives. > > apt-file search /usr/bin/firewalld suggests that at present, two > packages (freedombox and glusterfs-common) integrate with firewalld. For > comparison, 17 packages integrate with ufw. > That list appears to be incomplete. You should also search for org.fedoraproject.FirewallD1, i.e. software using the D-Bus interface of firewalld: https://codesearch.debian.net/search?q=org.fedoraproject.FirewallD1 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: default firewall utility changes for Debian 11 bullseye
On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote: > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. > There are plenty of system services that integrate with firewalld anyway [3]. > By the way, firewalld is using (or should be using) nftables by default at > this > point. The current firewalld package in unstable depends on iptables, which means that it does use nftables under the hood unless one fiddles with alternatives. apt-file search /usr/bin/firewalld suggests that at present, two packages (freedombox and glusterfs-common) integrate with firewalld. For comparison, 17 packages integrate with ufw. Disclaimer: This is not an endorsement of ufw. I merely researched the situation and am summarizing my findings. Still I am drawing the conclsuion that "the industry more or less agreed on using firewalld" seems wrong to me. If you want to make firewalld the desktop default, I encourage you to look back at how apparmor was made the default. I remember that as a very good process. You raise the issue at a very good time. Helmut
Re: default firewall utility changes for Debian 11 bullseye
On Tue, 2019-07-16 at 11:57 +0200, Raphael Hertzog wrote: [...] > The other desktop firewall that I know is "ufw" but it doesn't seem to > have any momentum behind it. Also, while its syntax is obviously intended to be simple, it's quite irregular and the syntax error messages aren't very helpful. Ben. -- Ben Hutchings If God had intended Man to program, we'd have been born with serial I/O ports. signature.asc Description: This is a digitally signed message part
Re: default firewall utility changes for Debian 11 bullseye
On 7/16/19 11:57 AM, Raphael Hertzog wrote: > Hi, > > I'm replying to your questions but I have also other questions related to > this fresh transition... > > On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote: >> as you may know, Debian 10 buster includes the iptables-nft utility by >> default, >> which is an iptables flavor that uses the nf_tables kernel subsystem. >> Is intended to help people migrate from iptables to nftables. > > It is intended that /proc/net/ip_tables_names and > /proc/net/ip6_tables_names is always empty when you use iptables-nft and > thus nf_tables under the hood? > > This is breaking fwbuilder at least: > https://github.com/fwbuilder/fwbuilder/issues/88 > yes, nf_tables does not expose that data into /proc/, it uses a netlink API which is a better way of interacting with it. >> Also, I believe the days of using a low level tool for directly configuring >> the >> firewall may be gone, at least for desktop use cases. It seems the industry >> more >> or less agreed on using firewalld [2] as a wrapper for the system firewall. > > What would/should Debian recommend to configure the firewall on the server > case ? > > I was recommending creating firewall rules with fwbuilder up to now (see > https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html) The reset_iptables() functions you mentioned in the above issue don't even replace the rules in an atomic fashion, which is not a good way to work with firewall rules, specially for wrappers. firewalld can be useful in server usecases as well. Here is libvirt using firewalld (and nftables): https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver This is all to say that firewalld may be way better that fwbuilder as a general recommendation.
Re: default firewall utility changes for Debian 11 bullseye
Hi, I'm replying to your questions but I have also other questions related to this fresh transition... On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote: > as you may know, Debian 10 buster includes the iptables-nft utility by > default, > which is an iptables flavor that uses the nf_tables kernel subsystem. > Is intended to help people migrate from iptables to nftables. It is intended that /proc/net/ip_tables_names and /proc/net/ip6_tables_names is always empty when you use iptables-nft and thus nf_tables under the hood? This is breaking fwbuilder at least: https://github.com/fwbuilder/fwbuilder/issues/88 > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. What would/should Debian recommend to configure the firewall on the server case ? I was recommending creating firewall rules with fwbuilder up to now (see https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html) but while it's still maintained, it has not had any recent release and still hasn't native nftables support (https://github.com/fwbuilder/fwbuilder/issues/17). > This email contains 2 changes/proposals for Debian 11 bullseye: > > 1) switch priority values for iptables/nftables, i.e, make nftables Priority: > important and iptables Priority: optional Ack. > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. No objection. I think it's high time we have some default firewall installed in particular with IPv6 getting more widely deployed... The other desktop firewall that I know is "ufw" but it doesn't seem to have any momentum behind it. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: default firewall utility changes for Debian 11 bullseye
Hi! On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote: > as you may know, Debian 10 buster includes the iptables-nft utility by > default, which is an iptables flavor that uses the nf_tables kernel > subsystem. Is intended to help people migrate from iptables to nftables. Yeah, this was a great way to migrate, thanks! > This email contains 2 changes/proposals for Debian 11 bullseye: > > 1) switch priority values for iptables/nftables, i.e, make nftables Priority: > important and iptables Priority: optional Ack. We should really be moving towards nftables, which is so much better in any possible way. I think doing this early would be good so that we can find any remaining issues (at least in documentation) about migrating from iptables to nftables. As mentioned elsewhere, while you can do the change in the packages you maintain, you'll still need to file an override change request against ftp.debian.org so that this gets actually modified. :) > 2) introduce firewalld as the default firewalling wrapper in Debian, > at least in desktop related tasksel tasks. I've never used this nor do use a traditional desktop, so have no opinion on it, and I'm not sure I care deeply TBH. :) Thanks, Guillem
