Debian now recommend to use nftables instead of the legacy iptables.
nftables best to be played with through firewalld, As gufw/ufw only for iptables.
Note: gufw can be used with nftables through backward compatibility iptables-nft but its recommended against and its not good way for the forward future.
Suggestion (1):
have nftables and firewalld installed and enabled by default (cause nothing, no extra security by doing that but good packages to have by default).
Suggestion (2):
Drop all incoming connections by default (good security practice).
Since kicksecure is for VMs or Bare metal usage closing all ports isnt bad practice. Only it will effect users who distromorphing a debian installed on server via remote tool like SSH.
Solutions to this issue:
-
Kicksecure is not meant for distro-morphing debian on server via remote tool â thats not the goal of the project, Hence this is not an issue to solve to begin with. (one can use proxmox or VNC to Hypervisor or similar ideas to have kicksecure on outside servers)
-
Open only port 22 which is the default port of SSH and generally no body changing it. (Its debatable to whether its really useful to change it or not let alone its changed by many users)
Kicksecure doesnât open any ports by default. So by default there is nothing to be firewalled. But there may be cases where custom installed software opens server ports which shouldnât be reachable from the outside by default. So a default installed firewall might make sense.
Actually server support is one of my main development goals.
Yes, and I wouldnât an unannounced breaking change locking users out from their serverâs SSH. As per:
Not sure yet. It looks rather complex and might be prone to bugs.
https://bugzilla.redhat.com/show_bug.cgi?id=1836571
https://bugzilla.redhat.com/show_bug.cgi?id=1739415
I am not sure weâd need a complex firewall management tool by default to implement relatively simple.
Maybe netfilter-persitent would be a simpler alternative.
https://packages.debian.org/bullseye/netfilter-persistent
Maybe firewalld is simpler to use than I anticipate.
(For CentOS but commands will be similar on Debian.)
Probably once Kicksecure ISO installer is available implementing enabling a firewall by default for desktop users will be easier. That way, servers already using Kicksecure now wouldnât loose their SSH connection.
Good gufw/ufw alternative: Firewall-Config a gui configuration for firewalld (nftables backend).
1 Like
Wow i was not aware of an GUI for nftables
Thanks for the mention looks like something to explore.
1 Like