On Mon, 20 Jul 2020 19:46:16 +0200
Ludovic Bellière <belliere.ludovic@???> wrote:
> Running processes aren't stopped (restarted) until the new binaries
> are available, so your machine was still behind a firewall if rules
> were applied before the upgrade. iptables, ip6tables, and other
> alternatives serves as interface to the Netfilter packet filtering
> framework found in the kernel, the absence of such commands does not
> make the kernel unsafe.
Thank you for the clarification; it has been both instructive and
helpful. However, as the replacement of the existing (protective)
ruleset with a default (permissive) ruleset is immediate: the
dist-upgrade process is effectively issuing the command
#iptables -P INPUT ACCEPT && iptables -F INPUT. Thus, it is not an
absence of such commands, it is an active issuing of permissive
commands to replace the existing protective ruleset in the
kernel. The firewall is effectively being disabled with immediate
effect and will remain so until a protective ruleset is applied and
enforced. That is still essentially my concern.