On Mon, Sep 24, 2018 at 03:27:51PM -0400, Henning Follmann wrote:
And there are also reasons not to install by default one. And this is what the OP was about. The default is to not install listening services a thus no need for a firewall.
You must have misread or misunderstood my message, because the point I was making was that the point of a firewall was not just to protect you from the things you *know* are listening, but the scenarios I outline where you have things happening you *don't* know about.
Any default firewall would then force maintainers of packages to test for the default firewall and if present inject a default rule to make the service available. Otherwise you will have endless rants about "why is my ssh not working.." etc.
Yes, we'd need an inter-package scheme for opening service ports when packages were installed (or services enabled, a subtle distinction). I outline a high-level approach to that in my last email to this thread (a reply to Joe). -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
