[Discuss] Trying to connect to internet in Debian

[rrose at pobox.com (Randall Rose)]

Thanks for this thoughtful reply.  (Not that the other people who replied 
weren't thoughtful, it's just that I wasn't clear enough in my initial 
message.)

To reply to your points one-by-one:

> is this newly installed linux machine on a
> publically routable IP Address, or is it sitting behind a NAT, comfortably
> sitting on a 192.168 (or 172.16, or 10.x) address?
>
> Related question:  don't you have a network firewall at your border?

I'll check on these.  I have the standard home router that Verizon provides 
for Fios, and my Linux machines are the only devices that use that router.  
But I would have to check on specifics and get back to you.  It's also true 
that I might be reluctant to put my trust in anything Verizon gives when it 
comes to security/privacy issues. There are two risks for Verizon, both that 
they wouldn't be careful enough and that I wouldn't rule out them doing 
something I would consider malicious.

> Umm... ssh passwords are MUCH less secure than SSH Keys..  So I would
> rephrase this as "especially because I use passwords".   Having said that,
> unless your machine is publicly routable, you wont be getting any external
> SSH connections.

Thanks, this is definitely useful info.

> Start your machine behind a firewall and get it configured before you put
> it on the public Internet.

That has been my plan from the beginning. The problem is, how do I get a 
working firewall before I put the machine on the public internet?  Given 
Debian's hostility to firewall-first users like me, I've been finding it 
difficult to solve that problem.

>> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j
>> DROP; ip6tables -A INPUT -j DROP"?  When I try that Firefox can't visit
>> any websites.
>
> Because that will drop ALL incoming packets -- even packets that are tied
> to existing connections.  This is what the ESTABLISHED,RELATED is all
> about.

Thanks, that was my suspicion too, especially after I found that these 
iptables settings made Firefox unable to access any websites.  Unfortunately, 
when I searched online for suggestions on how to configure iptables or 
firewalld, almost all the suggested configurations I found were for "How to 
configure a firewall for a machine that will be a server" or assumed that the 
user wants things like ssh.  The idea of doing "-A INPUT -j DROP" was, 
incredibly, the only suggestion I could find anywhere online that was claimed 
to block all potentially malicious connections initiated from outside.  And, 
as you say, it doesn't work.  I wouldn't have expected my use case/threat 
model to be so unusual that no one would have suggestions for it on existing 
web pages, but since it seems to be that way, I'm asking on this list.

> For what it's worth, Fedora comes with firewalld enabled by default in the
> configuration you desire (although I do believe that it allows SSH
> connections).

I had planned to do a separate thread on problems configuring firewalld on 
Fedora, but we might as well move that topic here.  I did notice that Fedora 
comes with a version of firewalld that's up and running (no firewall-config, 
just firewall-cmd).  But as you say, its firewall settings are too loose.  So 
I can't safely connect Fedora to the internet out of the box.  

Again, it's very strange that Fedora's developers aren't providing a built-in 
option for my use case -- I think my use case is probably the same one that 
most users want if they only intend to do basic laptop stuff without 
relatively fancy things like ssh or webserver hosting, and are drawn to Linux 
for privacy/security reasons.

Fedora 42's initial firewall actually enables a lot of stuff, not just ssh.  
To be more specific, here is what I got, using an iso of Fedora 42, when I 
ran "firewall-cmd --list-all":

target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv8-client samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich-rules:

The man page for firewall-cmd is impenetrable -- lots of undefined terms like 
"policies", "services", "helpers", etc.  I don't even know whether policies, 
services, helpers, etc. are things inside firewalld or things located 
elsewhere on the internet that firewalld can guard you against.  I haven't 
been able to work out how to configure firewalld safely.

If there is a safe way to configure Fedora 42's firewall so I can connect to 
the internet, I'd be glad to hear.

> You can (and should) also look into fail2ban for dynamic management.

Thanks for this suggestion and for your other help.

On Fri, Jan 16, 2026, at 11:10 AM, Derek Atkins wrote:
> Hi Randall,
>
> I've been working in the cyber-security industry for over 30 years, and I
> have a question for you:   is this newly installed linux machine on a
> publically routable IP Address, or is it sitting behind a NAT, comfortably
> sitting on a 192.168 (or 172.16, or 10.x) address?
>
> Related question:  don't you have a network firewall at your border?
>
> more inline...
>
> On Fri, January 16, 2026 10:55 am, Randall Rose wrote:
>> Sorry, I left out some context.  The context is that I simply do not want
>> to connect a machine to the internet without a firewall -- ever.
>> Regardless of how secure Linux may be in the abstract, I believe zero-days
>> exist for Linux, and I prefer the extra security that a firewall provides.
>>  For example, I do not want to allow a random outside node to do ssh into
>> my machine even though I use passwords.
>
> Umm... ssh passwords are MUCH less secure than SSH Keys..  So I would
> rephrase this as "especially because I use passwords".   Having said that,
> unless your machine is publicly routable, you wont be getting any external
> SSH connections.
>
> [snip]
>
>> Here are my questions, rephrased for clarity:
>>
>> 1. Given that I want a firewall as strong as what "ufw enable" provides
>> and Debian doesn't provide ufw on its iso, what is the best way to achieve
>> it?
>
> Start your machine behind a firewall and get it configured before you put
> it on the public Internet.
>
>> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j
>> DROP; ip6tables -A INPUT -j DROP"?  When I try that Firefox can't visit
>> any websites.
>
> Because that will drop ALL incoming packets -- even packets that are tied
> to existing connections.  This is what the ESTABLISHED,RELATED is all
> about.
>
> For what it's worth, Fedora comes with firewalld enabled by default in the
> configuration you desire (although I do believe that it allows SSH
> connections).
>
> You can (and should) also look into fail2ban for dynamic management.
>
> -derek
> -- 
>        Derek Atkins                 617-623-3745
>        derek at ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant