Good points. However, I don't think I said that Debian should DEFAULT to installing a firewall that is actively up and running. I said two different things:
1. Debian should have a checkbox during the iso's install process which, if checked, installs a firewall whose settings default to something reasonable so that this firewall is up and running on first boot. That checkbox could start out unchecked, but the point is to make it visible to users as they set up the system, and to give them a very simple process for getting an up-and-running firewall onto their system from the beginning if they so desire. Remember, Debian has a lot of users who don't know that much. Many users prefer to have the firewall up and running on first boot, and really don't want this to be more difficult than necessary. It helps them stay in control without requiring them to learn a lot of firewall configuration stuff they'll basically never need. If the install option is done right, users who want an uncomplicated firewall may be able to use Linux without immediately learning the name of the firewall application and without immediately learning what commands you have to give to that application. Also, there really are lots of users who definitely prefer having a firewall on all the time but don't have it as top of mind, and they would really appreciate having the checkbox during the install process so that they don't find themselves in a situation of "Yikes! I've been using a system that has no firewall when I really would have wanted one." Not offering this contributes to the feeling that Linux is hard to use and full of pitfalls for the unwary, which helps the closed-source monopolies exploit people. 2. In addition, and in any case, Debian's iso should install a system on the hard disk which contains an executable for a firewall even if that firewall is not up and running. Since Debian does not do this at present, firewall-first users like me face a difficult situation after installing a Debian iso: "What's the name of the firewall application on Debian? Where can I find it on my hard disk? What do you mean there isn't any such application on my hard disk?" It takes a while to slowly work out that iptables, which the iso fails to copy to the hard disk, actually is buried somewhere on the iso as an uninstalled .deb. For many users it would be better if Debian actually put the executable on the hard disk instead of making us manually retrieve it from the iso. Point 1 (about a checkbox during the install process) actually applies to other distros and not just Debian. Point 2 (about the need, at a minimum, to put an executable on the hard disk during installation) is a mistake that Debian makes -- most other popular distros at least get this part right. Note that the installer on Debian's iso obtains substantial information about the user's preferences -- for instance, it asks whether the user wants webserver software installed and I think it also asks whether the user wants ssh. That information could be used by the installer to choose a sensible default configuration for the firewall, *IF* the user checks the checkbox asking for a firewall to be up and running out of the box. I understand how some believe that firewalls are always or often counterproductive. I just don't share that view. Although firewalls aren't perfect protection, nothing is perfect protection in this day and age. I would rather have the additional protection provided by a firewall even though I know it's not perfect, and I prefer if that protection is set to a strong level that doesn't interfere with everyday tasks. That is how security usually goes, in my view. The fact that people naturally disagree with one another on this doesn't make it irrational to hold my view, which many people share. Also, it turns out not to be helpful for me if I'm told "Ensure your system has nothing listening to the network, then you won't need a firewall." Like most Linux users I simply don't know whether my machine has something listening to the network. If I used "ps" to list the processes that are currently running on my system, I wouldn't know which of them are listening to the network. Nor would I know how to find out. One of the values of having a firewall is that you don't need to know which of the thousands of packages installed on your machine could potentially be listening to the network, just like you don't need to know which of these thousands of packages have remote security holes. With a firewall you can just block them all, with the option of changing the configuration later if you need to. That is far more practical for most users. Of course, if you can recommend a way of finding out which of the thousands of packages that currently are or might later be on my machine could be listening to the network, I would appreciate hearing. That would be useful information. I just don't know it. On Fri, Jan 16, 2026, at 11:16 PM, Kent Borg wrote: > You have a clear preference for a firewall: > >> The context is that I simply do not want to connect a machine to the >> internet without a firewall -- ever. Regardless of how secure Linux may be >> in the abstract, I believe zero-days exist for Linux, and I prefer the extra >> security that a firewall provides. > And that is up to you. (I have a plenty of opinions and priorities that > others don't need to share.) And I do hate it when I ask a technical > question and the answers I get back are "Why do you want to do that?" > and "Don't.". I am sorry to have been in that camp. > > Go ahead and put on a firewall, I'm not qualified to help, so I should > maybe stay quiet. > > > On 1/16/26 2:07 PM, Randall Rose wrote: >> Most of my criticism of Debian still stands. […] From my perspective, if a >> distro is used by naive users and it sometimes installs things >> out-of-the-box that may have security vulnerabilities which a firewall could >> help with, then its installer should offer a checkbox for installing a >> firewall with reasonable settings that's already up and running on first >> boot. > > But that extremely short-duration quiet ends because I think you are > making an unfair complaint against Debian. > > It is very reasonable to make a technical argument that a firewall > simply isn't needed in a basic install of Debian, yet it is significant > complexity to get wrong, and once a firewall is in place it can be a > further source of confusion that confusion create security vulnerabilities. > > Certainly one can customize an installation in such a way that a > firewall makes very good sense sense, and install a firewall. Both of > those are up to you. > > But a complex extra layer, that is hard to configure, being installed by > default when not needed, seems a mistake. > > > A practical path is still: > > 1. Do a basic install, with no services listening to the network, and so > nothing for a firewall to protect. > > 2. Get the computer configured and actually working, on your network, > able to get updates and install new stuff from the internet. Still > nothing for a firewall to protect. > > 3. Install a firewall and get it working, even though there is still > nothing to protect. > > 4. Finally do further customizations, including installing anything > (iffy or not) that listens to the network, and might need protection; > revisiting the details of #3 as necessary. > > > Now if you have problems in #3 and #4 those problems are pretty isolated > to #3 and #4, you started with a working machine and presumably revert > to your previous configuration. > > > -kb, the Kent who thinks decades of firewalls have hurt security by > giving users a false sense of security and giving legions of programmers > a gigantic excuse for doing crappy work. _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
