Firewall

dataw0lf digitalsuicide at gmail.com
Thu Aug 4 13:56:51 UTC 2005


Ewan Mac Mahon wrote:
> The only advantages to firewalling would be that incoming
> requests would simply disappear rather than have an error returned
> (which is an arguable benefit at best) and that it would prevent
> unpriveleged users from starting servers; for a single user machine
> that's not an issue anyway.

Sorry if I'm rude, but please don't attempt to explain firewalls
(especially iptables!) if you don't understand them.  You just end up
confusing people more.

Firewalling on Linux is alot more than that.  If you start hacking away
at iptables, packets don't just magically start dropping (being rude and
not responding to the requester in any way) unless you specify doing so.
 You can use the REJECT target to specifically send back error messages.
 As well, it won't stop unprivileged users from starting servers;  if
you're disallowing packets in your INPUT chain, it just simply won't
allow outsiders to access the server.  It has no affect on the actual
processes of the server.

iptables is more than just blocking ports, and I think should realize
that.  You can redirect packets, mangle (i.e. modify) packets, and a
whole lot of other cool stuff.

The obvious advantages to firewalling your user box could be 1)
specifically logging certain ports, servers, and protocols, 2) confusing
'hax0rs' (a favorite trick of mine is to use the iptables random module
to DROP packets 50% of the time and REJECT them 50% of the time;  this
does some fun stuff to port scanners), 3) fine grained control on
packets going in, being forwarded by, and leaving your box, 4) NATing,
and a whole slew of other things.


-- 

Joshua Simpson -- dataw0lf.org
Lead Network Administrator/Engineer Aero-Graphics Inc.
jsimpson at aero-graphics.com




More information about the ubuntu-users mailing list