On 2019-12-19 12:29:59, Roberto C. Sánchez wrote:
> Hi Arturo!
>
> I know that this discussion took place some months ago, but I am just
> now getting around to catching up on some old threads :-)
Same here :)
> On Tue, Jul 30, 2019 at 01:52:30PM +0200, Arturo Borrero Gonzalez wrote:
> > > 2) in
Hi Wookey,
Am Mittwoch, 31. Juli 2019 schrieb Wookey:
> On 2019-07-16 11:57 +0200, Raphael Hertzog wrote:
> >
> > What would/should Debian recommend to configure the firewall on the server
> > case ?
> >
> > I was recommending creating firewall rules with fwbuilder up to now (see
> > https://deb
Hi,
Am Mittwoch, 31. Juli 2019 schrieb Scott Kitterman:
>
>
> On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez
> wrote:
> >Ok, after a couple of weeks, lets try to summarize:
> >
> >On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
> >>
> >> This email contains 2 changes/proposals
On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
> For the next release cycle I propose we move this default event further.
> As of this email, iptables [0] is Priority: important and nftables [1] is
> Priority: optional in both buster and bullseye. The important value means the
> package gets i
On 7/31/19 7:56 AM, Aron Xu wrote:
> be useful for a "standard" server installation with graphic desktop,
If we really start to provide that, we should better rename the project
to SAPian or SUSian or something like that...
--
Bernd ZeimetzDebian GNU/Linux Developer
Hi Arturo!
I know that this discussion took place some months ago, but I am just
now getting around to catching up on some old threads :-)
On Tue, Jul 30, 2019 at 01:52:30PM +0200, Arturo Borrero Gonzalez wrote:
> Ok, after a couple of weeks, lets try to summarize:
>
> On 7/16/19 11:07 AM, Artur
On August 1, 2019 10:42:37 AM UTC, Arturo Borrero Gonzalez
wrote:
>On 7/31/19 7:20 AM, Adam Borowski wrote:
>> A port blocker just sabotages user's requests, requiring every
>configuration
>> action to be done twice.
>>
>
>Perhaps you are mixing shipping a software by default vs having a
>def
On 7/31/19 7:20 AM, Adam Borowski wrote:
> A port blocker just sabotages user's requests, requiring every configuration
> action to be done twice.
>
Perhaps you are mixing shipping a software by default vs having a default
blocking firewall ruleset in the system. Moreover, you are assuming a defa
On Aug 01, Aron Xu wrote:
> If there is no pre-installed firewall application in a standard/full
> installation (which does not exist for us theoretically), Debian could
> be easily marked as missing feature in some enterprise IT evalutation,
[citation needed]
Even if this were true I do no thin
[dropping individuals as recipients]
Quoting Sunil Mohan Adapa (2019-07-31 17:46:44)
> On 31/07/19 7:46 am, Wookey wrote:
> [...]
> >
> > What is the modern equivalent of 'ipmasq'? I still miss this tool on
> > a regular basis and loved what it did. I have not found a
> > replacement and foreve
On Wed, Jul 31, 2019 at 11:10 PM Marco d'Itri wrote:
>
> On Jul 31, Aron Xu wrote:
>
> > utility (for instance, firewalld) for certain use cases, i.e. it could
> > be useful for a "standard" server installation with graphic desktop,
> > for which we could expect most users choosing this method wo
On 16/07/19 2:07 am, Arturo Borrero Gonzalez wrote:
[...]
> 2) introduce firewalld as the default firewalling wrapper in Debian, at least
> in
> desktop related tasksel tasks.
>
firewalld is a reasonable choice. We setup and manage firewalld
automatically in FreedomBox.
- firewalld has simple w
On 31/07/19 7:46 am, Wookey wrote:
[...]
>
> What is the modern equivalent of 'ipmasq'? I still miss this tool on a
> regular basis and loved what it did. I have not found a replacement
> and forever end up looking up runes on the net and doing it by hand
> with iptables. ('it' being setting up my
On Wed, 31 Jul 2019 at 15:46:39 +0100, Wookey wrote:
> What is the modern equivalent of 'ipmasq'? I still miss this tool on a
> regular basis and loved what it did. I have not found a replacement
> and forever end up looking up runes on the net and doing it by hand
> with iptables. ('it' being sett
On Jul 31, Aron Xu wrote:
> utility (for instance, firewalld) for certain use cases, i.e. it could
> be useful for a "standard" server installation with graphic desktop,
> for which we could expect most users choosing this method would like
> to have advanced firewalling as an enterprise feature
On Jul 31, Scott Kitterman wrote:
> Please don't install one by default. I suspect it will cause more
> trouble for end users than it's worth. Making sure our default
> install is severely limited in what ports it listens to is likely more
> broadly useful and less risky.
Agreed.
Default-den
On 2019-07-16 11:57 +0200, Raphael Hertzog wrote:
>
> What would/should Debian recommend to configure the firewall on the server
> case ?
>
> I was recommending creating firewall rules with fwbuilder up to now (see
> https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html)
On Wed, 31 Jul 2019, Adam Borowski wrote:
A network firewall is useful. But why would someone want a _host_ firewall
for on any sane operating system? If a daemon is not supposed to listen on
Are libvirt and network-manager using firewalld to setup network sharing
and virtual networks? Or do
On Wed, Jul 31, 2019 at 12:27 PM Scott Kitterman wrote:
>
> Please don't install one by default. I suspect it will cause more trouble
> for end users than it's worth. Making sure our default install is severely
> limited in what ports it listens to is likely more broadly useful and less
> ris
On Wed, Jul 31, 2019 at 04:27:24AM +, Scott Kitterman wrote:
> On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez
> wrote:
> >On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
> >> 2) introduce firewalld as the default firewalling wrapper in Debian,
> >> at least in desktop related t
On July 30, 2019 11:52:30 AM UTC, Arturo Borrero Gonzalez
wrote:
>Ok, after a couple of weeks, lets try to summarize:
>
>On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
>>
>> This email contains 2 changes/proposals for Debian 11 bullseye:
>>
>> 1) switch priority values for iptables/nfta
On Di, Jul 30, 2019 at 01:52:30 +0200, Arturo Borrero Gonzalez wrote:
Ok, after a couple of weeks, lets try to summarize:
1) switch priority values for iptables/nftables, i.e, make nftables
Priority: important and iptables Priority: optional
Nobody seems to disagree with this point. So I wil
Ok, after a couple of weeks, lets try to summarize:
On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
>
> This email contains 2 changes/proposals for Debian 11 bullseye:
>
> 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> important and iptables Priority: optiona
Hi Chris
Am 18.07.19 um 04:07 schrieb Chris Lamb:
> It also has a first-class Ansible module which (given a flood of
> firewall options around when I needed to pick something in haste
> around the time of the stretch release…) was actually the deciding
> factor for me:
>
> https://docs.ansible.
On Wed, 17 Jul 2019, Chris Lamb wrote:
> Jamie Strandboge wrote:
>
> > Again, I'm biased, but ufw supports IPv6. It's also been on the default
> > server
> > and desktop install of Ubuntu for 9+ years. ufw functions well for bastion
> > hosts, less so for routers (though it has some facility the
Jamie Strandboge wrote:
> Again, I'm biased, but ufw supports IPv6. It's also been on the default server
> and desktop install of Ubuntu for 9+ years. ufw functions well for bastion
> hosts, less so for routers (though it has some facility there).
It also has a first-class Ansible module which (g
On Wed, 17 Jul 2019, Jamie Strandboge wrote:
> On Tue, 16 Jul 2019, Raphael Hertzog wrote:
>
> > > 2) introduce firewalld as the default firewalling wrapper in Debian, at
> > > least in
> > > desktop related tasksel tasks.
> >
> > No objection. I think it's high time we have some default firewa
On Wed, 17 Jul 2019, Chris Lamb wrote:
> Raphael Hertzog wrote:
>
> > The other desktop firewall that I know is "ufw" but it doesn't seem to
> > have any momentum behind it.
>
> It is curious you mention a lack of momentum; in my experience, it is
> the most commonly recommended firewall on vari
On Tue, 16 Jul 2019, Ben Hutchings wrote:
> On Tue, 2019-07-16 at 11:57 +0200, Raphael Hertzog wrote:
> [...]
> > The other desktop firewall that I know is "ufw" but it doesn't seem to
> > have any momentum behind it.
>
> Also, while its syntax is obviously intended to be simple, it's quite
> irr
On Wed, 17 Jul 2019, Stephan Seitz wrote:
> On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote:
> > On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote:
> > > as you may know, Debian 10 buster includes the iptables-nft utility by
> > > default, which is an iptables flavor t
On Tue, 16 Jul 2019, Raphael Hertzog wrote:
> > 2) introduce firewalld as the default firewalling wrapper in Debian, at
> > least in
> > desktop related tasksel tasks.
>
> No objection. I think it's high time we have some default firewall
> installed in particular with IPv6 getting more widely d
On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:
> Hi there,
>
> as you may know, Debian 10 buster includes the iptables-nft utility by
> default,
> which is an iptables flavor that uses the nf_tables kernel subsystem.
> Is intended to help people migrate from iptables to nftables.
>
> For t
On Jul 17, Paul Wise wrote:
> To me, something like opensnitch seems like a better option for a
> desktop firewall once it becomes more mature and enters Debian.
This project is a "personal firewall", which is a quite different
thing from what is being discussed here.
--
ciao,
Marco
signatur
On Wed, Jul 17, 2019 at 7:05 PM Helmut Grohne wrote:
> If you want to make firewalld the desktop default
To me, something like opensnitch seems like a better option for a
desktop firewall once it becomes more mature and enters Debian.
https://github.com/evilsocket/opensnitch/
https://bugs.debian
Raphael Hertzog wrote:
> The other desktop firewall that I know is "ufw" but it doesn't seem to
> have any momentum behind it.
It is curious you mention a lack of momentum; in my experience, it is
the most commonly recommended firewall on various support-adjacent
sites around the internet. (Perha
On Mi, Jul 17, 2019 at 12:32:31 +0100, Thomas Pircher wrote:
# iptables-translate -A INPUT -s 1.2.3.4 -p tcp --dport 587 -j DROP
nft add rule ip filter INPUT ip saddr 1.2.3.4 tcp dport 587 counter drop
Ah, thank you very much!
Stephan
--
| Public Keys: http://fsing.rootsland.net/~sts
Stephan Seitz wrote:
> What would be the replacement for a simple single line like
> iptables -I INPUT -j DROP -s -p tcp –dport 587 ?
You can use the iptables-translate. It is not foolproof and does not
always git the best results, but it can give you a good starting point
for your optimisations
Am 17.07.19 um 13:16 schrieb Michael Biebl:
> Am 17.07.19 um 13:04 schrieb Helmut Grohne:
>> On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote:
>>> Also, I believe the days of using a low level tool for directly configuring
>>> the
>>> firewall may be gone, at least for deskt
On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote:
On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote:
as you may know, Debian 10 buster includes the iptables-nft utility by
default, which is an iptables flavor that uses the nf_tables kernel
subsystem. Is intended to he
Am 17.07.19 um 13:04 schrieb Helmut Grohne:
> On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote:
>> Also, I believe the days of using a low level tool for directly configuring
>> the
>> firewall may be gone, at least for desktop use cases. It seems the industry
>> more
>> or
On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote:
> Also, I believe the days of using a low level tool for directly configuring
> the
> firewall may be gone, at least for desktop use cases. It seems the industry
> more
> or less agreed on using firewalld [2] as a wrapper fo
On Tue, 2019-07-16 at 11:57 +0200, Raphael Hertzog wrote:
[...]
> The other desktop firewall that I know is "ufw" but it doesn't seem to
> have any momentum behind it.
Also, while its syntax is obviously intended to be simple, it's quite
irregular and the syntax error messages aren't very helpful.
On 7/16/19 11:57 AM, Raphael Hertzog wrote:
> Hi,
>
> I'm replying to your questions but I have also other questions related to
> this fresh transition...
>
> On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:
>> as you may know, Debian 10 buster includes the iptables-nft utility by
>> default,
Hi,
I'm replying to your questions but I have also other questions related to
this fresh transition...
On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:
> as you may know, Debian 10 buster includes the iptables-nft utility by
> default,
> which is an iptables flavor that uses the nf_tables ker
Hi!
On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote:
> as you may know, Debian 10 buster includes the iptables-nft utility by
> default, which is an iptables flavor that uses the nf_tables kernel
> subsystem. Is intended to help people migrate from iptables to nftables.
Yeah,
Hi there,
as you may know, Debian 10 buster includes the iptables-nft utility by default,
which is an iptables flavor that uses the nf_tables kernel subsystem.
Is intended to help people migrate from iptables to nftables.
For the next release cycle I propose we move this default event further.
As
46 matches
Mail list logo
