[Discuss] Trying to connect to internet in Debian

[rrose at pobox.com (Randall Rose)]

Good points.  However, I don't think I said that Debian should DEFAULT to 
installing a firewall that is actively up and running.  I said two different 
things:

1. Debian should have a checkbox during the iso's install process which, if 
checked, installs a firewall whose settings default to something reasonable 
so that this firewall is up and running on first boot.  That checkbox could 
start out unchecked, but the point is to make it visible to users as they set 
up the system, and to give them a very simple process for getting an 
up-and-running firewall onto their system from the beginning if they so 
desire.  Remember, Debian has a lot of users who don't know that much.  Many 
users prefer to have the firewall up and running on first boot, and really 
don't want this to be more difficult than necessary.  It helps them stay in 
control without requiring them to learn a lot of firewall configuration stuff 
they'll basically never need.  If the install option is done right, users who 
want an uncomplicated firewall may be able to use Linux without immediately 
learning the name of the firewall application and without immediately 
learning what commands you have to give to that application.  Also, there 
really are lots of users who definitely prefer having a firewall on all the 
time but don't have it as top of mind, and they would really appreciate 
having the checkbox during the install process so that they don't find 
themselves in a situation of "Yikes!  I've been using a system that has no 
firewall when I really would have wanted one."  Not offering this contributes 
to the feeling that Linux is hard to use and full of pitfalls for the unwary, 
which helps the closed-source monopolies exploit people.

2. In addition, and in any case, Debian's iso should install a system on the 
hard disk which contains an executable for a firewall even if that firewall 
is not up and running.  Since Debian does not do this at present, 
firewall-first users like me face a difficult situation after installing a 
Debian iso: "What's the name of the firewall application on Debian?  Where 
can I find it on my hard disk?  What do you mean there isn't any such 
application on my hard disk?"  It takes a while to slowly work out that 
iptables, which the iso fails to copy to the hard disk, actually is buried 
somewhere on the iso as an uninstalled .deb.  For many users it would be 
better if Debian actually put the executable on the hard disk instead of 
making us manually retrieve it from the iso.

Point 1 (about a checkbox during the install process) actually applies to 
other distros and not just Debian. Point 2 (about the need, at a minimum, to 
put an executable on the hard disk during installation) is a mistake that 
Debian makes -- most other popular distros at least get this part right.

Note that the installer on Debian's iso obtains substantial information about 
the user's preferences -- for instance, it asks whether the user wants 
webserver software installed and I think it also asks whether the user wants 
ssh.  That information could be used by the installer to choose a sensible 
default configuration for the firewall, *IF* the user checks the checkbox 
asking for a firewall to be up and running out of the box.

I understand how some believe that firewalls are always or often 
counterproductive.  I just don't share that view.  Although firewalls aren't 
perfect protection, nothing is perfect protection in this day and age.  I 
would rather have the additional protection provided by a firewall even 
though I know it's not perfect, and I prefer if that protection is set to a 
strong level that doesn't interfere with everyday tasks.  That is how 
security usually goes, in my view.  The fact that people naturally disagree 
with one another on this doesn't make it irrational to hold my view, which 
many people share.

Also, it turns out not to be helpful for me if I'm told "Ensure your system 
has nothing listening to the network, then you won't need a firewall."  Like 
most Linux users I simply don't know whether my machine has something 
listening to the network.  If I used "ps" to list the processes that are 
currently running on my system, I wouldn't know which of them are listening 
to the network.  Nor would I know how to find out.  One of the values of 
having a firewall is that you don't need to know which of the thousands of 
packages installed on your machine could potentially be listening to the 
network, just like you don't need to know which of these thousands of 
packages have remote security holes.  With a firewall you can just block them 
all, with the option of changing the configuration later if you need to.  
That is far more practical for most users.  

Of course, if you can recommend a way of finding out which of the thousands 
of packages that currently are or might later be on my machine could be 
listening to the network, I would appreciate hearing.  That would be useful 
information.  I just don't know it.

On Fri, Jan 16, 2026, at 11:16 PM, Kent Borg wrote:
> You have a clear preference for a firewall:
>
>> The context is that I simply do not want to connect a machine to the 
>> internet without a firewall -- ever.  Regardless of how secure Linux may 
>> be in the abstract, I believe zero-days exist for Linux, and I prefer the 
>> extra security that a firewall provides.
> And that is up to you. (I have a plenty of opinions and priorities that 
> others don't need to share.) And I do hate it when I ask a technical 
> question and the answers I get back are "Why do you want to do that?" 
> and "Don't.". I am sorry to have been in that camp.
>
> Go ahead and put on a firewall, I'm not qualified to help, so I should 
> maybe stay quiet.
>
>
> On 1/16/26 2:07 PM, Randall Rose wrote:
>> Most of my criticism of Debian still stands. [?] From my perspective, if a 
>> distro is used by naive users and it sometimes installs things 
>> out-of-the-box that may have security vulnerabilities which a firewall 
>> could help with, then its installer should offer a checkbox for installing 
>> a firewall with reasonable settings that's already up and running on first 
>> boot.
>
> But that extremely short-duration quiet ends because I think you are 
> making an unfair complaint against Debian.
>
> It is very reasonable to make a technical argument that a firewall 
> simply isn't needed in a basic install of Debian, yet it is significant 
> complexity to get wrong, and once a firewall is in place it can be a 
> further source of confusion that confusion create security vulnerabilities.
>
> Certainly one can customize an installation in such a way that a 
> firewall makes very good sense sense, and install a firewall. Both of 
> those are up to you.
>
> But a complex extra layer, that is hard to configure, being installed by 
> default when not needed, seems a mistake.
>
>
> A practical path is still:
>
> 1. Do a basic install, with no services listening to the network, and so 
> nothing for a firewall to protect.
>
> 2. Get the computer configured and actually working, on your network, 
> able to get updates and install new stuff from the internet. Still 
> nothing for a firewall to protect.
>
> 3. Install a firewall and get it working, even though there is still 
> nothing to protect.
>
> 4. Finally do further customizations, including installing anything 
> (iffy or not) that listens to the network, and might need protection; 
> revisiting the details of #3 as necessary.
>
>
> Now if you have problems in #3 and #4 those problems are pretty isolated 
> to #3 and #4, you started with a working machine and presumably revert 
> to your previous configuration.
>
>
> -kb, the Kent who thinks decades of firewalls have hurt security by 
> giving users a false sense of security and giving legions of programmers 
> a gigantic excuse for doing crappy work.