Hi Rich, Thanks, you make several good points.
Most of my criticism of Debian still stands. The installer that is run from the Debian iso does allow installing some features that will listen to network traffic (though you can uncheck those options). Debian is a widely used distro, and as Kent kind of mentions its audience is not limited to the most highly skilled people (I think Arch and Gentoo skew more towards a highly skilled audience than Debian does). From my perspective, if a distro is used by naive users and it sometimes installs things out-of-the-box that may have security vulnerabilities which a firewall could help with, then its installer should offer a checkbox for installing a firewall with reasonable settings that's already up and running on first boot. And even if Debian fails to offer that as a checkbox during install, it should in any case install firewall software to the hard disk so it's available on first boot. Your point about having a firewall on the router (which Derek also mentioned) is correct: I'm sitting behind my router firewall which has a NAT. But I still need a firewall in case there is an attacker on the same Wifi network. It doesn't even have to be my home network -- if I take my laptop elsewhere and use a Wifi network where people I don't know have the Wifi password, it helps to have a firewall of my own on my laptop. You can't simply rely on the router's firewall. As I mentioned to Derek, I don't want to just trust the router or the company that provides it. I want to make sure my point about ufw and iptables is clear. I definitely did not say I was mixing ufw and iptables in the sense of running iptables commands on the same machine that runs ufw. I hope you're not responding as if I was saying that. What I said was that I am looking to find out how to configure iptables -- I want to know which iptables commands will give me a firewall as strong as "ufw enable". Specifically, I mentioned that I tried enabling ufw on a machine running a no-longer-supported version of Ubuntu (this is a machine that can't safely connect to the internet), and after enabling ufw on that machine I did iptables-save and ip6tables-save to find the corresponding commands for iptables. Then I took those commands given by iptables-save and ip6tables-save and ran them on a different machine with Debian installed, which doesn't have ufw. So, as you see, I was not actually mixing ufw and iptables on the same machine. I was using two different machines so as to extract the set of iptables commands that would hopefully give a result equivalent to ufw. My question is why is that, after taking that ufw-derived set of iptables commands and running them on a Debian machine that doesn't have ufw, I still find that Firefox on that Debian machine can't access any websites? And since this ufw-derived approach (which does NOT involve mixing ufw and iptables) doesn't work, is there any other way of configuring iptables that will maximize blocking of connections initiated from outside while still allowing basic consumer-laptop things like web browsing? On Fri, Jan 16, 2026, at 3:36 PM, Rich Pieri wrote: > On Fri, 16 Jan 2026 15:55:43 +0000 > "Randall Rose" <[email protected]> wrote: > >> Sorry, I left out some context. The context is that I simply do not >> want to connect a machine to the internet without a firewall -- ever. >> Regardless of how secure Linux may be in the abstract, I believe >> zero-days exist for Linux, and I prefer the extra security that a >> firewall provides. For example, I do not want to allow a random >> outside node to do ssh into my machine even though I use passwords. > > While privilege escalation vulnerabilities exist, someone outside the > machine cannot exploit them if you don't have anything listening to > network traffic. To wit, it is impossible to exploit a vulnerability in > Apache if Apache isn't running. Debian does not install a firewall by > default in part for this reason: a basic installation does not leave > the machine vulnerable to remote compromise. > > ufw comes from Ubuntu which is a *very* different beast. Ubuntu > includes many potential remote exploits by default, so including a > sanely configured, simple to manage firewall makes sense in the > environments Ubuntu is intended to be used, which is non-technical > users who don't know tech and don't care tech. You can include RHEL and > Fedora, SLES and openSUSE in this as well: they all include many > services in default installations, along with firewalls, where > minimalist, do it yourself distros like Debian and Arch and Gentoo do > not. > > >> Or is the idea that after doing the default install of Debian, you >> use a web browser to find how to configure iptables to make a strong >> firewall? But this also seems nutty to me, even apart from the >> problem in using a web browser with no firewall. There are online > > Running a browser does not make the machine vulnerable to remote > attack. Web browsers do not listen for incoming connections so a deny > all incoming firewall rule is a no-op. Browser exploits happen from the > inside because the user downloads the exploit. Packet filter firewalls > cannot prevent this. > > >> The problem is "If you're using ufw" is a big if. Ubuntu is the only > > Your original post specified that you were starting ufw and copying out > iptables rules. Don't do this. You will give yourself a broken network > stack if you do. > >> distro I know that provides ufw on its iso (unfortunately the install >> process doesn't include an option to have ufw enabled and running on >> first startup). On Debian, since no ufw package even exists on the >> iso, if you want a firewall as strong as ufw to be running before you > > The Debian installation ISOs do not include it because it's > unnecessary. See previous about remote and browser exploits. > > > 0. Ideally you are operating behind a firewall of some sort such as a > home router, but this isn't a requirement. I used to manage pools of > hundreds of Linux machines at MIT, all exposed directly to the public > Internet, and the only compromise I had to clean up was one machine with > a bad root password. > >> 1. Given that I want a firewall as strong as what "ufw enable" >> provides and Debian doesn't provide ufw on its iso, what is the best >> way to achieve it? > > You do what we've already told you: install the OS and verify network > configuration is working correctly. Then install your firewall manager > of choice, and then configure and test your rules one at a time as you > enable services. > >> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT >> -j DROP; ip6tables -A INPUT -j DROP"? When I try that Firefox can't >> visit any websites. > > I'm not specifically an iptables expert (I rely on other tools to do > the grunt work for me) but that looks to me like you're dropping all > traffic because you don't have any ACCEPT rules. > >> 3. Any thoughts on why it doesn't work to do the Ubuntu detour I >> tried (go to Ubuntu 25.04 machine that can't safely connect to >> internet since it's no longer supported, > > Mixing iptables and ufw will break your network configuration. Also, > the assumption that it's "not safe" may be wrong, such as if the > machine is already behind a firewall (see 0). > > -- > \m/ (--) \m/ > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.blu.org/mailman/listinfo/discuss _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
