Chris Adams wrote:
The only thing you need a firewall by default for is to prevent
services
that are listening on the network from being accessible. The better
solution is to stop having services listen on the network by default.
FWIW, this is what Ubuntu has been doing for ages (they call it "zero open
ports policy"), and AFAIK they do not enable iptables by default because of
this.
That said, "zero open ports" also got complaints, e.g. because they disabled
the CUPS web-based configuration interface to close port 631.
Kevin Kofler