Firewall

dataw0lf digitalsuicide at gmail.com
Thu Aug 4 17:33:38 UTC 2005


Ewan Mac Mahon wrote:

> 
> I understand iptables pretty well, I just don't think that going into
> the nuts and bolts straight away is going to help people that don't know
> whether or not they even need a firewall in the first place. IMHO it
> makes sense to explain the common case first and let people get into
> such a complex topic gradually rather than scaring them off. It's just a
> difference of style, I suppose.

You can explain it right without having to be complex.  Your original
message made no sense whatsoever (to someone who has indepth knowledge
of networking and security, and to someone who didn't, you're leading
them down the wrong path, IMHO).

>There's no benefit at all in having iptables send out the RSTs over just letting
> the main IP stack do it.

There's numerous benefits to sending ICMP error messages instead of just
dropping packets. Granted, for a general use firewall integrated into
the desktop, it's rather spurious, certainly.


> Quite true. Also fairly irrelevant; whether the server can't start or
> the server can't be contacted it's still not-a-server from the point of
> view of the internet. And firewalling it's a lot less complicated than
> the alternatives.

It's relevant in the fact that you explained it wrong and will end up
confusing people on what the purpose and use of a firewall is.

> Logging's not so much use on a single user non-server box; you don't
> need it to tell you what you've been doing, and you don't need to see
> who's accessing your non-existent servers.

But, you see, that's what users want to see!  That's the whole point of
the 'cooltastic' GUI and so on.  They get that bang for their buck 'Oh,
man, my uber firewall just blocked that hacking attempt!  Sweet!'.
Obviously, you and I might know better.

> Most of the scans that hit domestic or small site connections are
> automated ones, whether worms or just blind scans over IP ranges.
> Scripts don't get confused; they either find a vulnerable service they
> can access or they don't and just move on.

Point taken.  I'm speaking from the perspective of running several large
networks that are constantly hit by focused attacks.

> To sum up: iptables is a lot like linux as a whole - you can do lots of
> really interesting and sometimes useful exotic things with it; but you
> don't have to, and if you're running a typical single user desktop you
> probably don't want to. The OP was worrying whether or not they needed a
> firewall; the flexibility and beauty of the linux networking code not
> withstanding, the short answer is still 'No, not really'.

But I think they do.  Firewalling isn't just for large networks;  There
ARE worms that affect Linux/Unix systems, and hackers WILL attempt to
use their boxes as a jumping off point (it's Linux, it's run by a
desktop user, it's perfect for them, both security wise and utility
wise).  They don't care what the box is running at all.  They just want
to grab it up so they can bounce to their next victim.  While a firewall
shouldn't provide a false sense of security, it's better than nothing at
all.

And as Linux grows more and more in the conventional userbase (which it
is; I'm pretty sure you'd agree that 4 or 5 years ago the messages we
receive on this mailing list would be quite rare on a Linux user mailing
list, e.g. simple desktop application usage, etc), spyware, viruses, etc
will become more prevalent on it.  It's better to teach someone NOW
about how to operate one of the simple firewall GUI tools and get them
to grasp basic TCP/IP knowledge, then after they've been hit.

-- 

Joshua Simpson -- dataw0lf.org
Lead Network Administrator/Engineer Aero-Graphics Inc.
jsimpson at aero-graphics.com




More information about the ubuntu-users mailing list