mobility and firewall

Dmitriy Kropivnitskiy nigde at mitechki.net
Fri Jun 3 14:42:12 CDT 2005 

On Fri, 2005-06-03 at 14:18 -0500, Carl Karsten wrote:
> For openers, I think a firewall on a local box is more trouble than it is worth. 
> I think the firewall should be on a router between the box that needs protecting 
> and what it needs protecting from (normally the Net.)

This is true in case of a home LAN, but for a single system, router
(IMHO) is more trouble that it is worth, and on a mobile system you do
not own the router therefore cannot trust it.

> In looking at http://udu.wiki.ubuntu.com/Firewalls, I think "protect his machine" 
> is too undefined.  If you are going to provide a service to other boxes, you are 
> giving up some protection.

Yes, but the default policy is "no open ports", so by default your
system would not be providing any services. To provide a service you
would have to configure something to provide it. If you are computer
literate enough to do that, you should have no trouble enabling incoming
connections on a few ports especially if given a decent GUI application
to do that. <shameless plug>For example firestarter.</shameless plug>

> Another concern not listed: If a his box is compromised and starts attacking other 
> boxes on the LAN, then "protect his machine" should be changed to "protect his 
> other nearby machines." - But now we get into the "I can't connect to AIM, etc" 
> complaint.

I would assume, that external systems should be able to protect
themselves. This is definitely not a function of the "personal"
firewall.

> 
> Another concern not listed: You have a laptop with NFS, Samba, Cups and even a 
> telnet server running.  My guess is you want these enabled when connected to your 
> "trusted" lan, but not when connected to the Burger King wifi.  This is a good use 
> for a firewall, but a very simple one - something like "allow connections to 
> privileged ports: on/off."  When the box is in the wild, nothing connects to it. 
>   the 1% of the people that do want select ports open are the same people that can 
> figure it out on there own;  Except for 1% of that group that could use help, but 
> that is a reasonable casualty.

This case is well covered by software like firestarter, where you can
easily turn firewall protection on and off.

More information about the ubuntu-devel mailing list