mobility and firewall

Carl Karsten carl at personnelware.com
Fri Jun 3 17:08:19 CDT 2005 

Dmitriy Kropivnitskiy wrote:
> On Fri, 2005-06-03 at 14:18 -0500, Carl Karsten wrote:
> 
>>For openers, I think a firewall on a local box is more trouble than it is worth. 
>>I think the firewall should be on a router between the box that needs protecting 
>>and what it needs protecting from (normally the Net.)
> 
> 
> This is true in case of a home LAN, but for a single system, router
> (IMHO) is more trouble that it is worth, 

Here is what I recommend to everyone, friends and professionals, etc: Only put a 
box on the net if you can afford to lose it;  So no primary versions of anything 
(.html files, etc..) or if you are accepting submissions, it gets backed up enough 
that loosing the box it isn't a problem.

For the single system,  get a $20 Internet sharing device, espicaly now that you 
can get an 802.11b AP for that much.  Very little trouble and way more protection.

> and on a mobile system you do
> not own the router therefore cannot trust it.

Forgive my ignorance, but in this case, what problem would the firewall solve?  (I 
am guessing it is what I listed below, but until that makes it onto 
http://udu.wiki.ubuntu.com/Firewalls I don't see it as a problem that needs solving.)

> 
> 
>>In looking at http://udu.wiki.ubuntu.com/Firewalls, I think "protect his machine" 
>>is too undefined.  If you are going to provide a service to other boxes, you are 
>>giving up some protection.
> 
> 
> Yes, but the default policy is "no open ports", so by default your
> system would not be providing any services. 

#1 "... He wishes to be able to continue to use his peer-to-peer clients."

So the defined problem is beyond the default.

> To provide a service you
> would have to configure something to provide it. If you are computer
> literate enough to do that, you should have no trouble enabling incoming
> connections on a few ports especially if given a decent GUI application
> to do that. <shameless plug>For example firestarter.</shameless plug>

I am not saying that firestarter is "hard" but I disagree with "If literate enough 
...no trouble.." - because of how easy it is to install things.   Basically, you 
can click a few times and bam, you have a working web server.  Why would someone 
want to click some more?  This is what makes me think the firewall settings should 
not "require" any customization to achieve some level of protection.  (again, not 
sure what we are being protected from, which would help this discussion.)

> 
>>Another concern not listed: If a his box is compromised and starts attacking other 
>>boxes on the LAN, then "protect his machine" should be changed to "protect his 
>>other nearby machines." - But now we get into the "I can't connect to AIM, etc" 
>>complaint.
> 
> 
> I would assume, that external systems should be able to protect
> themselves. This is definitely not a function of the "personal"
> firewall.

I was responding to:
> Allow outgoing connections only to port http, https, smtp, pop3, ... 

Which sounds like a solution to "protect his other nearby machines."  Why else 
would you want to restrict outgoing?

> 
> 
>>Another concern not listed: You have a laptop with NFS, Samba, Cups and even a 
>>telnet server running.  My guess is you want these enabled when connected to your 
>>"trusted" lan, but not when connected to the Burger King wifi.  This is a good use 
>>for a firewall, but a very simple one - something like "allow connections to 
>>privileged ports: on/off."  When the box is in the wild, nothing connects to it. 
>>  the 1% of the people that do want select ports open are the same people that can 
>>figure it out on there own;  Except for 1% of that group that could use help, but 
>>that is a reasonable casualty.
> 
> 
> This case is well covered by software like firestarter, where you can
> easily turn firewall protection on and off.

If this is a valid problem, then someone should "commit" it to the wiki.  Another 
of my personal preferences is to not post things to a wiki that I don't really 
believe in.  My posts here are more to give content for those that do believe in it.

Carl K

More information about the ubuntu-devel mailing list