2015年11月12日 上午2:54于 "Arturo Borrero Gonzalez" <arturo.borrero.g...@gmail.com
>写道:
>
> On 11 November 2015 at 03:50, Lihe Wang <wanglihe.program...@gmail.com>
wrote:
> > 1: I do not agree about "despite message". Everything should not give
wrong
> > message, if run correct. As a programmer, when I write script, how can
I do
> > about wrong message? some of them is really wrong, and others means
nothing?
> >
>
> I could drop the /etc/init.d/nftables file ...
> yeah, perhaps it makes sense. I just don't want to support 2 init systems.
>
yes, forget init, I like systemd too.
> > 2: Yes, the shipped config file, drop almost everything. I can not login
> > remote server, no ping response, just because I install nftables. It is
> > bad. The things goes wrong way, even if it wants more security.
everything
> > should leave unchanged, and then, I add rules.
>
> Right now, the file /etc/nftables.conf includes this:
>
> [...]
> # activate the following line to accept common local services
> #tcp dport { 22, 80, 443 } ct state new accept
> [...]
>
> So, you just need to uncomment that line to start accepting incoming
> SSH/Web connections.
>
> The shipped configuration is a secure one: a white-list type firewall,
> which drop all connections unless stated otherwise. It's intended for
> a simple workstation.
>
I can read and rewrite rules, I use nftables very well, trust me. I submit
this bug is not about the nftable rules, it is about what config file used
as default should be. I think it should be blank. We use debian on any
cloud platform, somedays later, more and more, but we make image can not
login remote as default, it is not cool. This config is just an example, or
some about author's opinion at workstation, but it is should not use as
default.
> You should not enable the firewall without reading the ruleset first.
Yeah, I am not really lost my remote system, just because I had read the
rules and modified.
> That's why the user has to manually enable the nftables systemd service.
>
> Regarding the /etc/nftables directory: it should not be there, and the
> next package upload to debian will not carry the directory.
>
no no. This is another wrong way. firewall is core component, config files
can be more, and change frequent. You can split config files like sysctl,
put them in nftables.conf and nftables.d. Try to do this.
> --
> Arturo Borrero González
