Enable the firewall by default

[edolstra]

Currently the NixOS firewall is not enabled by default, requiring users to set networking.firewall.enable. I think it's better to be secure by default.

[aszlig]

I'd object against that, because on most machines it's absolutely unnecessary to add something (in this case netfilter modules) in order to be more "secure". Most people more likely want to not open any ports in the first place rather than to leave it open, placing a guard (netfilter) in front of it.

It's like if you have a big castle with many open gates where you put a bunch of security guards in front of every gate, hoping that no guard will fall asleep or miss something, instead of just having one or no gate at all. You can't exploit anything when there is none.

[vcunat]

It doesn't seem very good to me, either. I don't know much about network security, but using on-machine firewalls usually just evokes in me creating a false feeling of security.

To the point (please, correct me if I'm wrong):

• I don't think people expect IPv4 ping to be disabled by default.
• Adding a service in the NixOS configuration will also require me to update the firewall settings (IMO this should be automatic).
• AFAIK noone but root can listen on low-numbered ports... and root can always easily change the firewall easily.
• For higher ports... well, users can always run malware that listens on them... but more often they will want to use other apps that need open ports (like bittorent, probably SIP, whaterever).

[viric]

I second the opinion of vcunat

[edolstra]

People who think they're sufficiently secure without a firewall can just add networking.firewall.enable = false to their config. But that's not a good default. See also http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29

@vcunat The NixOS firewall allows outgoing pings by default. We could consider allowing incoming pings by default (networking.firewall.allowPing = true).

[shlevy]

Maybe as a bit of a compromise, we could put # networking.firewall.enable = false; # Disables the firewall in the template generated by nixos-option --install?

[peti]

I am in favor of enabling the firewall by default, too. IMHO, it's better to err on the side of caution.

[vcunat]

It certainly is better to err on the side of caution and have more layers, to be sure. I just don't see how this personal firewall helps but I don't really mind having it as default (@shlevy got it nice). However, there are different things I'm usually worrying about, like bots spending days by trying to guess SSH passwords of users...

@edolstra I meant incoming pings.

An aside: could you point me to an advantage of such plain disabling of listening on some ports? I thought most malware works rather by connecting actively (hacking more machines, coordinating attacks, etc.).