Sorry, I left out some context. The context is that I simply do not want to connect a machine to the internet without a firewall -- ever. Regardless of how secure Linux may be in the abstract, I believe zero-days exist for Linux, and I prefer the extra security that a firewall provides. For example, I do not want to allow a random outside node to do ssh into my machine even though I use passwords.
I know this sounds strange to some people, it is just my preference. Debian takes an approach that I also find very strange: --They don't provide an option in the initial built-in install process that would ensure that a firewall is already set up the moment that you initially connect to the internet. --Worse, their initial install boots you into a state where there are not even any executables on your machine that can be used as a firewall. --Although a .deb for iptables is on their iso, it is not loaded by default, and it takes some head-scratching to figure out that this .deb is actually present and find a way to install it (they don't tell you whether iptables or other firewall software is present). --Even if you do manage to find and install the .deb for iptables before any connection to the internet is made, it is still quite difficult to configure iptables to make a firewall as good as what is provided by "ufw enable". It is fair to say that if you're stuck looking at a machine with Debian newly installed, and can't connect to the internet because there is no adequate firewall, materials like the man page for iptables would give you no clue how to configure iptables to make a sufficiently strong firewall. I'm wondering what the Debian developers could possibly have been thinking. Maybe they think that if you want a strong firewall like what "ufw enable" provides, you have to first connect to the internet WITHOUT ANY ADEQUATE FIREWALL and then get ufw from a repository?!? That seems nutty to me and seems to undermine the point of using a firewall. Or is the idea that after doing the default install of Debian, you use a web browser to find how to configure iptables to make a strong firewall? But this also seems nutty to me, even apart from the problem in using a web browser with no firewall. There are online instructions for configuring a firewall with iptables or firewall-cmd (note that Debian does not provide firewall-cmd or firewalld on their iso) -- but the instructions and model configurations that are available online for iptables or firewall-cmd seem designed for a server or a machine that wants to do things like ssh, not a basic end-user machine where the priority is just making it as hard as possible for another node to initiate any kind of successful internet connection. I guess the Debian people just don't understand the use case of a Linux user whose priority is just blocking connections initiated from outside as thoroughly as possible, without excessive difficulty in configuring the firewall. For that matter, there seem to be no web pages that could tell a naive user how to do this (I haven't found any web pages that work). Note that I have no evilphone, so in my current state where I don't have an iso that can set up a strong firewall before connecting to the internet, I can't just check the web by phone. Here are my specific responses to what people posted: Rich Pieri writes: > If you're using ufw then you don't do any of what you've done with > iptables. Out of the box, ufw permits all outbound connections and > denies all inbound connections. > > Install base OS, configure networking. Do NOT enable any iptables > rules or services because they WILL conflict with ufw. Make sure this is > working before you do anything else. Then you can install ufw and start > the service: > > sudo systemctl enable --now ufw > > and you're done. From here I suggest reviewing the Arch Linux wiki > article for ufw. It has useful examples of things you can do such as > permitting port 22 from the local network. The problem is "If you're using ufw" is a big if. Ubuntu is the only distro I know that provides ufw on its iso (unfortunately the install process doesn't include an option to have ufw enabled and running on first startup). On Debian, since no ufw package even exists on the iso, if you want a firewall as strong as ufw to be running before you connect to the internet, Debian effectively tells you "Go take a hike". So Rich's phrase "Out of the box" is exactly what's not possible with Debian. Kent Borg writes: > I think this is easier: > • Install the OS without a firewall. > • Get it working. > • Set up the firewall later—if at all. True, this is easier given the fact that firewalls aren't as much of a necessity in Kent's view as they are in mine. But I don't think Kent has addressed my specific concern: given that I won't connect to the internet at all without a strong firewall in place, my question was how can I get that firewall in place when Debian doesn't provide one in the iso? markw writes: > A firewall is software that selectively inhibits communication. > (1) Turn off the firewall, completely. > (2) Test connectivity > (3) If you can't connect, it isn't the firewall, its your network configuration. This has the same problem. I have no way to test connectivity with the firewall off (though I can at least see that my machine can detect my Wifi router). I will not let my machine connect to the internet without a strong firewall on. I don't want to pick up a malware infection that's beyond my ability to clean. "Antivirus" software is basically nonexistent on Linux. Unfortunately Linux falls in the troublesome gap between widely popular OSes that have a huge enough user base to provide a market for high-quality anti-malware software, and extremely secure OSes like OpenBSD which lack the user base but are so strongly secured that you don't really need anti-malware software. So, in my view, I have to face the fact that Linux machines can easily be damaged by malware in ways that are not easily repairable, and approach connections to the internet accordingly. Here are my questions, rephrased for clarity: 1. Given that I want a firewall as strong as what "ufw enable" provides and Debian doesn't provide ufw on its iso, what is the best way to achieve it? 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j DROP; ip6tables -A INPUT -j DROP"? When I try that Firefox can't visit any websites. 3. Any thoughts on why it doesn't work to do the Ubuntu detour I tried (go to Ubuntu 25.04 machine that can't safely connect to internet since it's no longer supported, run ufw enable, dump output of iptables-save and ip6tables-save in text files since Ubuntu 25.04 has same version of iptables as Debian, use those text files on Debian machine as input to iptables-restore and ip6tables-restore)? Again, when I try that Firefox can't visit any websites. _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
