mobility and firewall

Lance Lassetter lance at uclinux.info
Fri Jun 3 16:53:52 CDT 2005 

On Fri, 2005-06-03 at 15:42 -0400, Dmitriy Kropivnitskiy wrote:
> On Fri, 2005-06-03 at 14:18 -0500, Carl Karsten wrote:
> > For openers, I think a firewall on a local box is more trouble than it is worth. 
> > I think the firewall should be on a router between the box that needs protecting 
> > and what it needs protecting from (normally the Net.)
> 
> This is true in case of a home LAN, but for a single system, router
> (IMHO) is more trouble that it is worth, and on a mobile system you do
> not own the router therefore cannot trust it.
> 
> > In looking at http://udu.wiki.ubuntu.com/Firewalls, I think "protect his machine" 
> > is too undefined.  If you are going to provide a service to other boxes, you are 
> > giving up some protection.
> 
> Yes, but the default policy is "no open ports", so by default your
> system would not be providing any services. To provide a service you
> would have to configure something to provide it. If you are computer
> literate enough to do that, you should have no trouble enabling incoming
> connections on a few ports especially if given a decent GUI application
> to do that. <shameless plug>For example firestarter.</shameless plug>

afaik, firestarter cannot be configured to run w/out an interface being
up.  if i connect to multiple networks, some behind router/firewalls,
some not or behind something trivial from the external internet, i think
a solution would be to have something that doesn't have to wait for an
interface to come up and will bind to whatever interface is the 'default
route' or something?  yes, 'no open ports' is a good policy but there
are for sure other ways for worms/trojans/viruses, et al to infect a
system.  maybe not so apparent on linux just yet, but i would rather not
take the chance.

> 
> > Another concern not listed: If a his box is compromised and starts attacking other 
> > boxes on the LAN, then "protect his machine" should be changed to "protect his 
> > other nearby machines." - But now we get into the "I can't connect to AIM, etc" 
> > complaint.
> 
> I would assume, that external systems should be able to protect
> themselves. This is definitely not a function of the "personal"
> firewall.
> 
> > 
> > Another concern not listed: You have a laptop with NFS, Samba, Cups and even a 
> > telnet server running.  My guess is you want these enabled when connected to your 
> > "trusted" lan, but not when connected to the Burger King wifi.  This is a good use 
> > for a firewall, but a very simple one - something like "allow connections to 
> > privileged ports: on/off."  When the box is in the wild, nothing connects to it. 
> >   the 1% of the people that do want select ports open are the same people that can 
> > figure it out on there own;  Except for 1% of that group that could use help, but 
> > that is a reasonable casualty.
> 
> This case is well covered by software like firestarter, where you can
> easily turn firewall protection on and off
> 
>

More information about the ubuntu-devel mailing list