Re: [Discuss] Trying to connect to internet in Debian

Fri, 16 Jan 2026 08:10:56 -0800 

Hi Randall,

I've been working in the cyber-security industry for over 30 years, and I
have a question for you:   is this newly installed linux machine on a
publically routable IP Address, or is it sitting behind a NAT, comfortably
sitting on a 192.168 (or 172.16, or 10.x) address?

Related question:  don't you have a network firewall at your border?

more inline...

On Fri, January 16, 2026 10:55 am, Randall Rose wrote:
> Sorry, I left out some context.  The context is that I simply do not want
> to connect a machine to the internet without a firewall -- ever.
> Regardless of how secure Linux may be in the abstract, I believe zero-days
> exist for Linux, and I prefer the extra security that a firewall provides.
>  For example, I do not want to allow a random outside node to do ssh into
> my machine even though I use passwords.

Umm... ssh passwords are MUCH less secure than SSH Keys..  So I would
rephrase this as "especially because I use passwords".   Having said that,
unless your machine is publicly routable, you wont be getting any external
SSH connections.

[snip]

> Here are my questions, rephrased for clarity:
>
> 1. Given that I want a firewall as strong as what "ufw enable" provides
> and Debian doesn't provide ufw on its iso, what is the best way to achieve
> it?

Start your machine behind a firewall and get it configured before you put
it on the public Internet.

> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j
> DROP; ip6tables -A INPUT -j DROP"?  When I try that Firefox can't visit
> any websites.

Because that will drop ALL incoming packets -- even packets that are tied
to existing connections.  This is what the ESTABLISHED,RELATED is all
about.

For what it's worth, Fedora comes with firewalld enabled by default in the
configuration you desire (although I do believe that it allows SSH
connections).

You can (and should) also look into fail2ban for dynamic management.

-derek
-- 
       Derek Atkins                 617-623-3745
       [email protected]             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
Discuss mailing list
[email protected]
https://lists.blu.org/mailman/listinfo/discuss

Reply via email to