On 09/10/14 00:12, Richard Owlett wrote: > koanhead wrote: >> On 10/06/2014 04:20 AM, Richard Owlett wrote: >>> I'm a relatively new convert from Windows to Debian... >>> I'm looking for a reference document that wouldn't scare my friend off >>> Debian and also give me the required information to: >>> 1. close the maximum number of ports. >>> I see him using browser, email, ftp file downloading. >>> I don't see him being a server. All incoming packets should be to >>> fulfill a previous outgoing request - [correctly phrased?]. >> >> https://wiki.debian.org/iptables should be as much as you need to >> accomplish this. > > That page is unsuitable for the audience I wish to reach. I saw it some > time ago and had gone looking for something I could use. It's one of > those Debian pages that reminds me of CPM-80 manuals of decades ago. The > information present, but ...
The hard bit about things like firewalling, is that there is really a minimum technical understanding necessary to do it properly. Even commercial firewall products aimed at the non-technical user, fail miserably on this front. The user typically gets bombarded by messages regarding some program executable wants access to "the Internet" with "allow" and "deny" buttons. A user who can translate that filename to a program they're using might stand a chance but many will just click "Allow" because things break when they click "Deny". Windows has an advantage over Linux in that it can block access on a per-binary executable basis. Netfilter AFAIK doesn't provide filter rules for blocking distinct executables. If you can come up with a well-written guide that discusses the basics well, great, but I suspect this is going to be very difficult to achieve. I suspect many are going to expect a "program" they can download, which in our case could be a netfilter front-end. The good news is that the "stereotypical Linux user" is generally more technically competent than the "stereotypical Windows user". >> Any service you're not currently using should be disabled. Any service >> you won't use should not be installed. > > Yeah. But ;/ The devil is in the details. > Where is a list of services. > How would Joe the Janitor and Mary the Florist chose? A good start is in /etc/init.d and the update-rc.d utility, but once again, not good in your usecase as it assumes a reasonable level of understanding. The closest in Windows I can think of is msconfig: and I'd wager not many stereotypical Windows users would venture there. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54359c01.5060...@longlandclan.yi.org
