On Wed, Jul 31, 2019 at 04:27:24AM +0000, Scott Kitterman wrote: > On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez <art...@debian.org> > wrote: > >On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > >> 2) introduce firewalld as the default firewalling wrapper in Debian, > >> at least in desktop related tasksel tasks. > > > >There are some mixed feelings about this. However I couldn't find any > >strong opinion against either. > > > >What I would do regarding this is (just a suggestion): > >* raise priority of firewalld > >* document in-wiki what defaults are, and how to move away from them > >* include some documentation bits in other firewalling wrappers on how to > >deal with this default, i.e what needs to be changed in the system for > >ufw to work without interferences (disable firewalld?) > > > >I don't maintain/control firewalld/ufw so I can't do these changes myself > >and will leave to Cyril/Michael/Jaime handle the situation for new > >bullseye install as they see fit. > > Please don't install one by default. I suspect it will cause more trouble > for end users than it's worth. Making sure our default install is > severely limited in what ports it listens to is likely more broadly useful > and less risky.
+1000. A network firewall is useful. But why would someone want a _host_ firewall for on any sane operating system? If a daemon is not supposed to listen on the network, don't install it or configure it that way. If a process is supposed to be contained and unable to use the network, contain it. A port blocker just sabotages user's requests, requiring every configuration action to be done twice. An user who actually has a complex host setup needs basic skills to do so, and those skills are more involved than installing a package would be. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian is one big family. Including that weird uncle ⢿⡄⠘⠷⠚⠋⠀ and ultra-religious in-laws. ⠈⠳⣄⠀⠀⠀⠀
