On 11 November 2015 at 03:50, Lihe Wang <wanglihe.program...@gmail.com> wrote:
> 1: I do not agree about "despite message". Everything should not give wrong
> message, if run correct. As a programmer, when I write script, how can I do
> about wrong message? some of them is really wrong, and others means nothing?
>
I could drop the /etc/init.d/nftables file ...
yeah, perhaps it makes sense. I just don't want to support 2 init systems.
> 2: Yes, the shipped config file, drop almost everything. I can not login
> remote server, no ping response, just because I install nftables. It is
> bad. The things goes wrong way, even if it wants more security. everything
> should leave unchanged, and then, I add rules.
Right now, the file /etc/nftables.conf includes this:
[...]
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
[...]
So, you just need to uncomment that line to start accepting incoming
SSH/Web connections.
The shipped configuration is a secure one: a white-list type firewall,
which drop all connections unless stated otherwise. It's intended for
a simple workstation.
You should not enable the firewall without reading the ruleset first.
That's why the user has to manually enable the nftables systemd service.
Regarding the /etc/nftables directory: it should not be there, and the
next package upload to debian will not carry the directory.
--
Arturo Borrero González
