Fragadelic wrote:You would be incorrect since even X runs as a service with a network listener port.
I thought that per default port 6000 is closed. You have to enable it, e.g. via the login manager panel (gksu gdmsetup). All present-day distributions do this, e.g. port 6000 is closed and X11 runs with the "tcp nolisten" option. And even if port 6000 were open, it still it can't be exploited that easily.
Fragadelic wrote:This would be for folks that don't have a hardware firewall of some sort.
That's why I suggested that a wizard should ask about this during installation. e.g. SUSE does this too.
Fragadelic wrote:Not running a firewall of some sort on a directly connected PC on the internet is just asking for trouble regardless of what OS you are running.
Sorry, but that's FUD. If there is no service running that would respond to any connection requests, than a firewall is pretty much pointless. Servers which run some sort of network service (e.g. SAMBA, FTP, NFS, etc.) are a different story. But even then you most of the time don't need a full blown Firewall, stuff like having "denyhosts" running in the background or keeping your
/etc/hosts.deny and
/etc/hosts.allow up-to-date can already help a great deal.
Adding a firewall that closes down everything per default just adds another layer of complexity that might get in one's way. And most Linux desktops simply aren't running any services that would require this level of protection.
Maybe it would again be wise to immitate Mandriva in this regard: Offer an "Advanced" button of some sorts during the installation where experienced users can turn off the firewall if they so wish. The default is to install it, just to be on the safe side.
Fragadelic wrote:If you like, go ahead and directly connect your PC to the internet without a firewall and run a port scan on it. I wouldn't recommend doing this with a production PC though.
I've done
precisely that many many many times with my Laptop which runs Linux. And guess what: Besides a few desperate skript kiddies trying to login as "root" via SSH nothing happens. Because I am simply not running anything on my desktop that would need a Firewall.
I think the best thing to suit you and me would be this wizard thing. Unexperienced users get it activated per default as a standard, "Advanced" users can click on a "No" button and get their system without firewall if they so wish.