You have a clear preference for a firewall:
The context is that I simply do not want to connect a machine to the internet
without a firewall -- ever. Regardless of how secure Linux may be in the
abstract, I believe zero-days exist for Linux, and I prefer the extra security
that a firewall provides.
And that is up to you. (I have a plenty of opinions and priorities that
others don't need to share.) And I do hate it when I ask a technical
question and the answers I get back are "Why do you want to do that?"
and "Don't.". I am sorry to have been in that camp.
Go ahead and put on a firewall, I'm not qualified to help, so I should
maybe stay quiet.
On 1/16/26 2:07 PM, Randall Rose wrote:
Most of my criticism of Debian still stands. […] From my perspective, if a
distro is used by naive users and it sometimes installs things out-of-the-box
that may have security vulnerabilities which a firewall could help with, then
its installer should offer a checkbox for installing a firewall with reasonable
settings that's already up and running on first boot.
But that extremely short-duration quiet ends because I think you are
making an unfair complaint against Debian.
It is very reasonable to make a technical argument that a firewall
simply isn't needed in a basic install of Debian, yet it is significant
complexity to get wrong, and once a firewall is in place it can be a
further source of confusion that confusion create security vulnerabilities.
Certainly one can customize an installation in such a way that a
firewall makes very good sense sense, and install a firewall. Both of
those are up to you.
But a complex extra layer, that is hard to configure, being installed by
default when not needed, seems a mistake.
A practical path is still:
1. Do a basic install, with no services listening to the network, and so
nothing for a firewall to protect.
2. Get the computer configured and actually working, on your network,
able to get updates and install new stuff from the internet. Still
nothing for a firewall to protect.
3. Install a firewall and get it working, even though there is still
nothing to protect.
4. Finally do further customizations, including installing anything
(iffy or not) that listens to the network, and might need protection;
revisiting the details of #3 as necessary.
Now if you have problems in #3 and #4 those problems are pretty isolated
to #3 and #4, you started with a working machine and presumably revert
to your previous configuration.
-kb, the Kent who thinks decades of firewalls have hurt security by
giving users a false sense of security and giving legions of programmers
a gigantic excuse for doing crappy work.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.blu.org/mailman/listinfo/discuss
