"R. W. Rodolico" <[EMAIL PROTECTED]> writes: > For workstations, I tend to use Kubuntu. On that, yes, I want a > firewall, and since I recommend it to anyone who asks (and even have my > sales staff using it), a default firewall is a Good Thing.
The part that concerns me about installing a firewall by default is that people seem to put irrational trust in a firewall and use it as an excuse to not address other security issues. The *best* thing to do is to design secure services that either don't randomly listen to the network or that deal with network traffic in a secure fashion, and I'd really like to maintain Debian's emphasis there. Installing a firewall, which often does little or nothing, strikes me as cargo cult security, and cargo cult security can be worse than useless. A well-designed and reviewed set of iptables rules provides additional defense in depth and we do deploy iptables on all of our servers and manage those rules as part of their Puppet model, but it's not something that you can tell an average user to just apt-get install and have work in a way that offers any real security, IMO. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]