On Fri, 16 Jan 2026 15:55:43 +0000 "Randall Rose" <[email protected]> wrote:
> Sorry, I left out some context. The context is that I simply do not > want to connect a machine to the internet without a firewall -- ever. > Regardless of how secure Linux may be in the abstract, I believe > zero-days exist for Linux, and I prefer the extra security that a > firewall provides. For example, I do not want to allow a random > outside node to do ssh into my machine even though I use passwords. While privilege escalation vulnerabilities exist, someone outside the machine cannot exploit them if you don't have anything listening to network traffic. To wit, it is impossible to exploit a vulnerability in Apache if Apache isn't running. Debian does not install a firewall by default in part for this reason: a basic installation does not leave the machine vulnerable to remote compromise. ufw comes from Ubuntu which is a *very* different beast. Ubuntu includes many potential remote exploits by default, so including a sanely configured, simple to manage firewall makes sense in the environments Ubuntu is intended to be used, which is non-technical users who don't know tech and don't care tech. You can include RHEL and Fedora, SLES and openSUSE in this as well: they all include many services in default installations, along with firewalls, where minimalist, do it yourself distros like Debian and Arch and Gentoo do not. > Or is the idea that after doing the default install of Debian, you > use a web browser to find how to configure iptables to make a strong > firewall? But this also seems nutty to me, even apart from the > problem in using a web browser with no firewall. There are online Running a browser does not make the machine vulnerable to remote attack. Web browsers do not listen for incoming connections so a deny all incoming firewall rule is a no-op. Browser exploits happen from the inside because the user downloads the exploit. Packet filter firewalls cannot prevent this. > The problem is "If you're using ufw" is a big if. Ubuntu is the only Your original post specified that you were starting ufw and copying out iptables rules. Don't do this. You will give yourself a broken network stack if you do. > distro I know that provides ufw on its iso (unfortunately the install > process doesn't include an option to have ufw enabled and running on > first startup). On Debian, since no ufw package even exists on the > iso, if you want a firewall as strong as ufw to be running before you The Debian installation ISOs do not include it because it's unnecessary. See previous about remote and browser exploits. 0. Ideally you are operating behind a firewall of some sort such as a home router, but this isn't a requirement. I used to manage pools of hundreds of Linux machines at MIT, all exposed directly to the public Internet, and the only compromise I had to clean up was one machine with a bad root password. > 1. Given that I want a firewall as strong as what "ufw enable" > provides and Debian doesn't provide ufw on its iso, what is the best > way to achieve it? You do what we've already told you: install the OS and verify network configuration is working correctly. Then install your firewall manager of choice, and then configure and test your rules one at a time as you enable services. > 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT > -j DROP; ip6tables -A INPUT -j DROP"? When I try that Firefox can't > visit any websites. I'm not specifically an iptables expert (I rely on other tools to do the grunt work for me) but that looks to me like you're dropping all traffic because you don't have any ACCEPT rules. > 3. Any thoughts on why it doesn't work to do the Ubuntu detour I > tried (go to Ubuntu 25.04 machine that can't safely connect to > internet since it's no longer supported, Mixing iptables and ufw will break your network configuration. Also, the assumption that it's "not safe" may be wrong, such as if the machine is already behind a firewall (see 0). -- \m/ (--) \m/ _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
