Autor: Daniel Reurich Data: A: dng@lists.dyne.org Assumpte: Re: [DNG] Recommended location for iptables rules
On 06/12/16 05:50, Lars Noodén wrote: > Where should we be commending the storage of iptables rules in Devuan
> Jessie?
There should not be a default location. It should be left to each
firewall application to define. This is particularly important as
iptables has a competitor in nftables and likely to be deprecated at
some point so we can't guarantee into the future that iptables will
always exist.
There is a processing cost to iptables and to be honest whilst iptables
is fantastic at border gateway for filtering out malicious traffic, it
may not be either necessary or desirable on hosts inside the network.
I'm probably getting a little of topic here, but IMHO, MS Windows needs
a firewall because it has so many leaky hidden services running on the
host that should never be exposed to even local networks that make it
extremely vulnerable, so it essentially needs a to be enclosed in a
farraday cage with a few pinholes for the necessary inbound services.
Generally a well setup Linux system has no network connectable services
running that aren't intended to be, in which case it's relatively
resistant to hacking attempts. This means firewall in a well secured
network is generally not necessary or desirable. The only instance I'd
consider a workstation firewall is a laptop connecting to untrusted
networks regularly.
Of course some Linux distrobutions push firewalling with the same fervor
as Microsoft and their "security suite" leaches. This is because the
added complexity creates more need for hand holding and thus the
opportunity to derive revenue and also to hide the fact that their
sloppy installers install and run poorly configured services by default
on systems that don't need them.