[Discuss] Trying to connect to internet in Debian

[rrose at pobox.com (Randall Rose)]

Hi Rich,

Thanks, you make several good points.  

Most of my criticism of Debian still stands. The installer that is run from 
the Debian iso does allow installing some features that will listen to 
network traffic (though you can uncheck those options).  Debian is a widely 
used distro, and as Kent kind of mentions its audience is not limited to the 
most highly skilled people (I think Arch and Gentoo skew more towards a 
highly skilled audience than Debian does).  From my perspective, if a distro 
is used by naive users and it sometimes installs things out-of-the-box that 
may have security vulnerabilities which a firewall could help with, then its 
installer should offer a checkbox for installing a firewall with reasonable 
settings that's already up and running on first boot. And even if Debian 
fails to offer that as a checkbox during install, it should in any case 
install firewall software to the hard disk so it's available on first boot.

Your point about having a firewall on the router (which Derek also mentioned) 
is correct: I'm sitting behind my router firewall which has a NAT.  But I 
still need a firewall in case there is an attacker on the same Wifi network.  
It doesn't even have to be my home network -- if I take my laptop elsewhere 
and use a Wifi network where people I don't know have the Wifi password, it 
helps to have a firewall of my own on my laptop.  You can't simply rely on 
the router's firewall.  As I mentioned to Derek, I don't want to just trust 
the router or the company that provides it.

I want to make sure my point about ufw and iptables is clear.  I definitely 
did not say I was mixing ufw and iptables in the sense of running iptables 
commands on the same machine that runs ufw.  I hope you're not responding as 
if I was saying that.  What I said was that I am looking to find out how to 
configure iptables -- I want to know which iptables commands will give me a 
firewall as strong as "ufw enable".  Specifically, I mentioned that I tried 
enabling ufw on a machine running a no-longer-supported version of Ubuntu 
(this is a machine that can't safely connect to the internet), and after 
enabling ufw on that machine I did iptables-save and ip6tables-save to find 
the corresponding commands for iptables.  Then I took those commands given by 
iptables-save and ip6tables-save and ran them on a different machine with 
Debian installed, which doesn't have ufw.  So, as you see, I was not actually 
mixing ufw and iptables on the same machine.  I was using two different 
machines so as to extract the set of iptables commands that would hopefully 
give a result equivalent to ufw.

My question is why is that, after taking that ufw-derived set of iptables 
commands and running them on a Debian machine that doesn't have ufw, I still 
find that Firefox on that Debian machine can't access any websites?  And 
since this ufw-derived approach (which does NOT involve mixing ufw and 
iptables) doesn't work, is there any other way of configuring iptables that 
will maximize blocking of connections initiated from outside while still 
allowing basic consumer-laptop things like web browsing?

On Fri, Jan 16, 2026, at 3:36 PM, Rich Pieri wrote:
> On Fri, 16 Jan 2026 15:55:43 +0000
> "Randall Rose" <rrose at pobox.com> wrote:
>
>> Sorry, I left out some context.  The context is that I simply do not
>> want to connect a machine to the internet without a firewall -- ever.
>>  Regardless of how secure Linux may be in the abstract, I believe
>> zero-days exist for Linux, and I prefer the extra security that a
>> firewall provides.  For example, I do not want to allow a random
>> outside node to do ssh into my machine even though I use passwords.
>
> While privilege escalation vulnerabilities exist, someone outside the
> machine cannot exploit them if you don't have anything listening to
> network traffic. To wit, it is impossible to exploit a vulnerability in
> Apache if Apache isn't running. Debian does not install a firewall by
> default in part for this reason: a basic installation does not leave
> the machine vulnerable to remote compromise.
>
> ufw comes from Ubuntu which is a *very* different beast. Ubuntu
> includes many potential remote exploits by default, so including a
> sanely configured, simple to manage firewall makes sense in the
> environments Ubuntu is intended to be used, which is non-technical
> users who don't know tech and don't care tech. You can include RHEL and
> Fedora, SLES and openSUSE in this as well: they all include many
> services in default installations, along with firewalls, where
> minimalist, do it yourself distros like Debian and Arch and Gentoo do
> not.
>
>
>> Or is the idea that after doing the default install of Debian, you
>> use a web browser to find how to configure iptables to make a strong
>> firewall?  But this also seems nutty to me, even apart from the
>> problem in using a web browser with no firewall.  There are online
>
> Running a browser does not make the machine vulnerable to remote
> attack. Web browsers do not listen for incoming connections so a deny
> all incoming firewall rule is a no-op. Browser exploits happen from the
> inside because the user downloads the exploit. Packet filter firewalls
> cannot prevent this.
>
>
>> The problem is "If you're using ufw" is a big if.  Ubuntu is the only
>
> Your original post specified that you were starting ufw and copying out
> iptables rules. Don't do this. You will give yourself a broken network
> stack if you do.
>
>> distro I know that provides ufw on its iso (unfortunately the install
>> process doesn't include an option to have ufw enabled and running on
>> first startup).  On Debian, since no ufw package even exists on the
>> iso, if you want a firewall as strong as ufw to be running before you
>
> The Debian installation ISOs do not include it because it's
> unnecessary. See previous about remote and browser exploits.
>
>
> 0. Ideally you are operating behind a firewall of some sort such as a
> home router, but this isn't a requirement. I used to manage pools of
> hundreds of Linux machines at MIT, all exposed directly to the public
> Internet, and the only compromise I had to clean up was one machine with
> a bad root password.
>
>> 1. Given that I want a firewall as strong as what "ufw enable"
>> provides and Debian doesn't provide ufw on its iso, what is the best
>> way to achieve it?
>
> You do what we've already told you: install the OS and verify network
> configuration is working correctly. Then install your firewall manager
> of choice, and then configure and test your rules one at a time as you
> enable services.
>
>> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT
>> -j DROP; ip6tables -A INPUT -j DROP"?  When I try that Firefox can't
>> visit any websites.
>
> I'm not specifically an iptables expert (I rely on other tools to do
> the grunt work for me) but that looks to me like you're dropping all
> traffic because you don't have any ACCEPT rules.
>
>> 3. Any thoughts on why it doesn't work to do the Ubuntu detour I
>> tried (go to Ubuntu 25.04 machine that can't safely connect to
>> internet since it's no longer supported, 
>
> Mixing iptables and ufw will break your network configuration. Also,
> the assumption that it's "not safe" may be wrong, such as if the
> machine is already behind a firewall (see 0).
>
> -- 
> \m/ (--) \m/
> _______________________________________________
> Discuss mailing list
> Discuss at lists.blu.org
> https://lists.blu.org/mailman/listinfo/discuss