Problem description
Debian includes many, many packages which provide firewalling tools for users; enough that it's difficult for the novice user to choose between them, which often means choosing none at all; and even though iptables is installed as part of the base system, this package includes no firewall rules (i.e., a default policy of "permit") and no startup scripts to manage a firewall. Moreover, even though the various firewall packages all hook into iptables, there is minimal support for sharing configurations between the tools or migrating from one to the other because they lack any common configuration format (many of them treat the actual iptables rules as an exported view only); and with the exception of particular common services, users are left on their own to peruse HOWTOs to figure out how to let package-specific traffic through their firewall.
Proposed solution
So obviously, the right way to fix this is to introduce a completely new system.
features
- Top-level chains that will not be touched by individual packages, which provide hooks for distinguishing between trusted and untrusted interfaces/IPs
- One or more managed "application" chains which incorporate per-package rules governing access from untrusted hosts
- Per-package conffiles which specify the necessary iptables rules for a package's services
- Tools similar to a2enmod/a2dismod which can be used to allow/disallow access to a specified service
- Packages which provide services have rules that are disabled by default
- Packages which act as clients and require additional firewall configuration *may* have rules that are enabled by default
- Pretty front-end (debconf?) for enabling and disabling services