Hi Arturo! I know that this discussion took place some months ago, but I am just now getting around to catching up on some old threads :-)
On Tue, Jul 30, 2019 at 01:52:30PM +0200, Arturo Borrero Gonzalez wrote: > Ok, after a couple of weeks, lets try to summarize: > > On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > > > > This email contains 2 changes/proposals for Debian 11 bullseye: > > > > 1) switch priority values for iptables/nftables, i.e, make nftables > > Priority: > > important and iptables Priority: optional > > > > Nobody seems to disagree with this point. So I will be doing this soon. > It looks like the situation in sid has not changed yet: (sid)root@build01:/tmp# apt-cache show iptables nftables | egrep 'Package|Version|Priority|^$'Package: iptables Version: 1.8.4-1 Priority: important Package: nftables Version: 0.9.3-1 Priority: optional Do you still intend to make the change in priorities? > > 2) introduce firewalld as the default firewalling wrapper in Debian, at > > least in > > desktop related tasksel tasks. > > > > There are some mixed feelings about this. However I couldn't find any strong > opinion against either. > > What I would do regarding this is (just a suggestion): > * raise priority of firewalld > * document in-wiki what defaults are, and how to move away from them > * include some documentation bits in other firewalling wrappers on how to deal > with this default, i.e what needs to be changed in the system for ufw to work > without interferences (disable firewalld?) > I like the idea of documenting this all in a wiki. [Side note: I maintain Shorewall in Debian and since the upstream author announced his retirement eariler this year several of the most active developers/community members (including me) have begun the process of taking over the project from him. One of the items we have discussed support for nftables, so I can see that changing in the coming year, making a wiki page a good choice for where to document Shorewall integration with various Debian parts.] Incidentally, the Debian Installation Guide makes no mention of firewalls or even basic steps to secure the system. If a wiki page is developed that documents the various firewall integration options, it would be nice if it became the basis of a new section in the installation manual (perhaps under section 8, Next Steps and Where to Go >From Here). It may also be a good addition/improvement to the Securing Debian Manual. In any event, I am just offering some thoughts; perhaps they might be of some use. Regards, -Roberto -- Roberto C. Sánchez