Firewall

Ewan Mac Mahon ewan at macmahon.me.uk
Thu Aug 4 16:59:35 UTC 2005 

On Thu, Aug 04, 2005 at 07:56:51AM -0600, dataw0lf wrote:
> Ewan Mac Mahon wrote:
> > The only advantages to firewalling would be that incoming
> > requests would simply disappear rather than have an error returned
> > (which is an arguable benefit at best) and that it would prevent
> > unpriveleged users from starting servers; for a single user machine
> > that's not an issue anyway.
> 
> Sorry if I'm rude, but please don't attempt to explain firewalls
> (especially iptables!) if you don't understand them.  You just end up
> confusing people more.
>
I understand iptables pretty well, I just don't think that going into
the nuts and bolts straight away is going to help people that don't know
whether or not they even need a firewall in the first place. IMHO it
makes sense to explain the common case first and let people get into
such a complex topic gradually rather than scaring them off. It's just a
difference of style, I suppose.
 
> Firewalling on Linux is alot more than that.  If you start hacking away
> at iptables, packets don't just magically start dropping (being rude and
> not responding to the requester in any way) unless you specify doing so.
That is however what virtually every firewall setup does; and certainly
the simple ones set up by the GUI tools discussed in this thread.

>  You can use the REJECT target to specifically send back error messages.
Yup. Thereby neatly replicating the default behaviour of an unfirewalled
closed port; which is what an Ubuntu box has as standard. There's no
benefit at all in having iptables send out the RSTs over just letting
the main IP stack do it.

>  As well, it won't stop unprivileged users from starting servers;  if
> you're disallowing packets in your INPUT chain, it just simply won't
> allow outsiders to access the server.  It has no affect on the actual
> processes of the server.
> 
Quite true. Also fairly irrelevant; whether the server can't start or
the server can't be contacted it's still not-a-server from the point of
view of the internet. And firewalling it's a lot less complicated than
the alternatives.

> iptables is more than just blocking ports, and I think should realize
> that.  You can redirect packets, mangle (i.e. modify) packets, and a
> whole lot of other cool stuff.
> 
This is true, and if you're running a frontier firewall for a network
that has multiple client machines, a bunch of servers and all the usual
complicating historical cruft (which I guess from your sig you probably
are) that's great; however, the OP was running a single desktop machine
and was thinking about firewalling coming from a Windows background (I
think). 

> The obvious advantages to firewalling your user box could be 1)
> specifically logging certain ports, servers, and protocols, 
Logging's not so much use on a single user non-server box; you don't
need it to tell you what you've been doing, and you don't need to see
who's accessing your non-existent servers.

>2) confusing 'hax0rs' (a favorite trick of mine is to use the iptables
>random module to DROP packets 50% of the time and REJECT them 50% of
>the time;  this does some fun stuff to port scanners),
Most of the scans that hit domestic or small site connections are
automated ones, whether worms or just blind scans over IP ranges.
Scripts don't get confused; they either find a vulnerable service they
can access or they don't and just move on.

> 3) fine grained control on packets going in, being forwarded by, and
> leaving your box, 4) NATing, and a whole slew of other things.
> 
Again; not what the OP was after.

To sum up: iptables is a lot like linux as a whole - you can do lots of
really interesting and sometimes useful exotic things with it; but you
don't have to, and if you're running a typical single user desktop you
probably don't want to. The OP was worrying whether or not they needed a
firewall; the flexibility and beauty of the linux networking code not
withstanding, the short answer is still 'No, not really'.

Ewan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050804/ac8a6bbe/attachment.sig>

More information about the ubuntu-users mailing list