Consider Firewall by Default

Development
1

Debian now recommend to use nftables instead of the legacy iptables.

nftables best to be played with through firewalld, As gufw/ufw only for iptables.

Note: gufw can be used with nftables through backward compatibility iptables-nft but its recommended against and its not good way for the forward future.

Suggestion (1):

have nftables and firewalld installed and enabled by default (cause nothing, no extra security by doing that but good packages to have by default).

Suggestion (2):

Drop all incoming connections by default (good security practice).

Since kicksecure is for VMs or Bare metal usage closing all ports isnt bad practice. Only it will effect users who distromorphing a debian installed on server via remote tool like SSH.

Solutions to this issue:

  • Kicksecure is not meant for distro-morphing debian on server via remote tool ← thats not the goal of the project, Hence this is not an issue to solve to begin with. (one can use proxmox or VNC to Hypervisor or similar ideas to have kicksecure on outside servers)

  • Open only port 22 which is the default port of SSH and generally no body changing it. (Its debatable to whether its really useful to change it or not let alone its changed by many users)

2

Kicksecure doesn’t open any ports by default. So by default there is nothing to be firewalled. But there may be cases where custom installed software opens server ports which shouldn’t be reachable from the outside by default. So a default installed firewall might make sense.

Actually server support is one of my main development goals.

Yes, and I wouldn’t an unannounced breaking change locking users out from their server’s SSH. As per:

Not sure yet. It looks rather complex and might be prone to bugs.

https://bugzilla.redhat.com/show_bug.cgi?id=1836571

https://bugzilla.redhat.com/show_bug.cgi?id=1739415

I am not sure we’d need a complex firewall management tool by default to implement relatively simple.

Maybe netfilter-persitent would be a simpler alternative.

https://packages.debian.org/bullseye/netfilter-persistent

Maybe firewalld is simpler to use than I anticipate.

(For CentOS but commands will be similar on Debian.)

Probably once Kicksecure ISO installer is available implementing enabling a firewall by default for desktop users will be easier. That way, servers already using Kicksecure now wouldn’t loose their SSH connection.