[Discuss] Trying to connect to internet in Debian

[ron at bclug.ca (Ron)]

Randall Rose wrote on 2026-01-16 14:07:

> From my perspective, if a distro is used by naive users and it
> sometimes installs things out-of-the-box that may have security
> vulnerabilities which a firewall could help with

I see a flaw in this logic: if an install includes, say, Apache, and 
there's a potential security vulnerability in Apache, a firewall won't help.

If the firewall blocks traffic to Apache, it's breaking functionality.

If Apache has a vulnerability, what can a firewall do to block the 
vulnerability?


> then its installer
> should offer a checkbox for installing a firewall with reasonable
> settings that's already up and running on first boot.
Probably because an active firewall by default would block things the 
admin requires.

A *lot* of installs of Debian would be on servers, where the admin 
*needs* ssh access. Which a firewall rule might well block.


A default firewall could (would) generate a lot of support questions / 
user problems. A sophisticated user can implement a firewall at their 
convenience. A naive user won't install one and won't need one since 
they're unlikely to be running listening services.


If you trust the Debian maintainers enough to install their OS, you 
should trust their decision on this.



I run a bunch of Ubuntu servers on VPSs that are wide open to the 
internet. Not a firewall on any of them. Not a problem yet.

(Well, I do block a lot of IPs with iptables due to excessive attempts 
on email servers, but that's not really a firewall.)