mobility and firewall

Carl Karsten carl at personnelware.com
Fri Jun 3 14:18:22 CDT 2005


For openers, I think a firewall on a local box is more trouble than it is worth. 
I think the firewall should be on a router between the box that needs protecting 
and what it needs protecting from (normally the Net.)

However, not everyone thinks like me, so let's look at some of the things that are 
being asked for.

In looking at http://udu.wiki.ubuntu.com/Firewalls, I think "protect his machine" 
is too undefined.  If you are going to provide a service to other boxes, you are 
giving up some protection.

Another concern not listed: If a his box is compromised and starts attacking other 
boxes on the LAN, then "protect his machine" should be changed to "protect his 
other nearby machines." - But now we get into the "I can't connect to AIM, etc" 
complaint.

Another concern not listed: You have a laptop with NFS, Samba, Cups and even a 
telnet server running.  My guess is you want these enabled when connected to your 
"trusted" lan, but not when connected to the Burger King wifi.  This is a good use 
for a firewall, but a very simple one - something like "allow connections to 
privileged ports: on/off."  When the box is in the wild, nothing connects to it. 
  the 1% of the people that do want select ports open are the same people that can 
figure it out on there own;  Except for 1% of that group that could use help, but 
that is a reasonable casualty.


Dmitriy Kropivnitskiy wrote:
 > On Fri, 2005-06-03 at 11:43 +1200, Christoph Georgi wrote:
 >
 >>Default Policy: DROP
 >>Allow only ESTABLISHED and RELATED for incoming traffic
 >>Allow outgoing connections only to port http, https, smtp, pop3, ...
 >>
 > I wouldn't restrict outgoing connections, since that wuold lead to way
 > to many dumb-user problems like
 > "I cannot use AIM!" "Why cannot I connect to IRC?" etc.

Long shot: could it look at the local apt-get db and configure itself based on 
what apps are installed?

I realize a compromised box could take advantage of this, but to me a compromised 
box can take advantage of anything, and some sort of auto configuring firewall 
might just be a good compromise.

Carl K



More information about the ubuntu-devel mailing list