Thanks for this thoughtful reply. (Not that the other people who replied weren't thoughtful, it's just that I wasn't clear enough in my initial message.)
To reply to your points one-by-one: > is this newly installed linux machine on a > publically routable IP Address, or is it sitting behind a NAT, comfortably > sitting on a 192.168 (or 172.16, or 10.x) address? > > Related question: don't you have a network firewall at your border? I'll check on these. I have the standard home router that Verizon provides for Fios, and my Linux machines are the only devices that use that router. But I would have to check on specifics and get back to you. It's also true that I might be reluctant to put my trust in anything Verizon gives when it comes to security/privacy issues. There are two risks for Verizon, both that they wouldn't be careful enough and that I wouldn't rule out them doing something I would consider malicious. > Umm... ssh passwords are MUCH less secure than SSH Keys.. So I would > rephrase this as "especially because I use passwords". Having said that, > unless your machine is publicly routable, you wont be getting any external > SSH connections. Thanks, this is definitely useful info. > Start your machine behind a firewall and get it configured before you put > it on the public Internet. That has been my plan from the beginning. The problem is, how do I get a working firewall before I put the machine on the public internet? Given Debian's hostility to firewall-first users like me, I've been finding it difficult to solve that problem. >> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j >> DROP; ip6tables -A INPUT -j DROP"? When I try that Firefox can't visit >> any websites. > > Because that will drop ALL incoming packets -- even packets that are tied > to existing connections. This is what the ESTABLISHED,RELATED is all > about. Thanks, that was my suspicion too, especially after I found that these iptables settings made Firefox unable to access any websites. Unfortunately, when I searched online for suggestions on how to configure iptables or firewalld, almost all the suggested configurations I found were for "How to configure a firewall for a machine that will be a server" or assumed that the user wants things like ssh. The idea of doing "-A INPUT -j DROP" was, incredibly, the only suggestion I could find anywhere online that was claimed to block all potentially malicious connections initiated from outside. And, as you say, it doesn't work. I wouldn't have expected my use case/threat model to be so unusual that no one would have suggestions for it on existing web pages, but since it seems to be that way, I'm asking on this list. > For what it's worth, Fedora comes with firewalld enabled by default in the > configuration you desire (although I do believe that it allows SSH > connections). I had planned to do a separate thread on problems configuring firewalld on Fedora, but we might as well move that topic here. I did notice that Fedora comes with a version of firewalld that's up and running (no firewall-config, just firewall-cmd). But as you say, its firewall settings are too loose. So I can't safely connect Fedora to the internet out of the box. Again, it's very strange that Fedora's developers aren't providing a built-in option for my use case -- I think my use case is probably the same one that most users want if they only intend to do basic laptop stuff without relatively fancy things like ssh or webserver hosting, and are drawn to Linux for privacy/security reasons. Fedora 42's initial firewall actually enables a lot of stuff, not just ssh. To be more specific, here is what I got, using an iso of Fedora 42, when I ran "firewall-cmd --list-all": target: default ingress-priority: 0 egress-priority: 0 icmp-block-inversion: no interfaces: sources: services: dhcpv8-client samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich-rules: The man page for firewall-cmd is impenetrable -- lots of undefined terms like "policies", "services", "helpers", etc. I don't even know whether policies, services, helpers, etc. are things inside firewalld or things located elsewhere on the internet that firewalld can guard you against. I haven't been able to work out how to configure firewalld safely. If there is a safe way to configure Fedora 42's firewall so I can connect to the internet, I'd be glad to hear. > You can (and should) also look into fail2ban for dynamic management. Thanks for this suggestion and for your other help. On Fri, Jan 16, 2026, at 11:10 AM, Derek Atkins wrote: > Hi Randall, > > I've been working in the cyber-security industry for over 30 years, and I > have a question for you: is this newly installed linux machine on a > publically routable IP Address, or is it sitting behind a NAT, comfortably > sitting on a 192.168 (or 172.16, or 10.x) address? > > Related question: don't you have a network firewall at your border? > > more inline... > > On Fri, January 16, 2026 10:55 am, Randall Rose wrote: >> Sorry, I left out some context. The context is that I simply do not want >> to connect a machine to the internet without a firewall -- ever. >> Regardless of how secure Linux may be in the abstract, I believe zero-days >> exist for Linux, and I prefer the extra security that a firewall provides. >> For example, I do not want to allow a random outside node to do ssh into >> my machine even though I use passwords. > > Umm... ssh passwords are MUCH less secure than SSH Keys.. So I would > rephrase this as "especially because I use passwords". Having said that, > unless your machine is publicly routable, you wont be getting any external > SSH connections. > > [snip] > >> Here are my questions, rephrased for clarity: >> >> 1. Given that I want a firewall as strong as what "ufw enable" provides >> and Debian doesn't provide ufw on its iso, what is the best way to achieve >> it? > > Start your machine behind a firewall and get it configured before you put > it on the public Internet. > >> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j >> DROP; ip6tables -A INPUT -j DROP"? When I try that Firefox can't visit >> any websites. > > Because that will drop ALL incoming packets -- even packets that are tied > to existing connections. This is what the ESTABLISHED,RELATED is all > about. > > For what it's worth, Fedora comes with firewalld enabled by default in the > configuration you desire (although I do believe that it allows SSH > connections). > > You can (and should) also look into fail2ban for dynamic management. > > -derek > -- > Derek Atkins 617-623-3745 > [email protected] www.ihtfp.com > Computer and Internet Security Consultant _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
