WARNING: nftables is the default firewall framework since Debian 10 Buster. This page is outdated.

Problem description

Debian includes many, many packages which provide firewalling tools for users; enough that it's difficult for the novice user to choose between them, which often means choosing none at all; and even though iptables is installed as part of the base system, this package includes no firewall rules (i.e., a default policy of "permit") and no startup scripts to manage a firewall.

Moreover, even though the various firewall packages all hook into iptables, there is minimal or no support for sharing configurations between the tools or migrating from one to the other because they lack any common configuration format (many of them treat the actual iptables rules as an exported view only).

As a further consequence, support for package-specific firewall rules is lacking. With the exception of particular common services, users are left on their own to peruse HOWTOs to figure out how to let package-specific traffic through their firewall.

Proposed solution

So obviously, the right way to fix this is to introduce a completely new system.

features


possible starting point

This is the output of iptables-save:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:debian_input_root - [0:0]
:debian_logging - [0:0]
:debian_services_input - [0:0]
:debian_trusted_hosts_input - [0:0]
:debian_untrusted_hosts_input - [0:0]

# Accept Loopback and then jump to the debian managed chain
-A INPUT -i lo -j ACCEPT
-A INPUT -j debian_input_root

# This is pretty much just an accept all, but it does a little sanity checking
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j debian_logging

# The main Debian chain.
-A debian_input_root -m conntrack --ctstate INVALID -j debian_logging
-A debian_input_root -j debian_trusted_hosts_input
-A debian_input_root -j debian_untrusted_hosts_input
-A debian_input_root -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A debian_input_root -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j debian_logging
-A debian_input_root -m conntrack --ctstate NEW -j debian_services_input
-A debian_input_root -j debian_logging

#Log 5 packets per minute.  Reject with icmp-port-unreachable.
-A debian_logging -m limit --limit 5/min -j LOG --log-prefix "debian-ruleset"
-A debian_logging -j REJECT --reject-with icmp-port-unreachable

#Managed chain for services.  Automatically allows pings at a rate of 5/sec.
#The Example also allows ssh connections.
-A debian_services_input -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT
-A debian_services_input -p tcp -m tcp --dport 22 -j ACCEPT

-A debian_trusted_hosts_input -s always.trusted.net.block/255.255.255.0 -j ACCEPT
-A debian_untrusted_hosts_input -s evil.bad.guy.net/255.255.255.0 -j DROP
COMMIT

Major issues: