Firewall

Ewan Mac Mahon ewan at macmahon.me.uk
Thu Aug 4 18:28:36 UTC 2005


On Thu, Aug 04, 2005 at 11:33:38AM -0600, dataw0lf wrote:
> Ewan Mac Mahon wrote:
> 
> > IMHO it makes sense to explain the common case first and let people
> > get into such a complex topic gradually rather than scaring them
> > off. It's just a difference of style, I suppose.
> 
> You can explain it right without having to be complex.  Your original
> message made no sense whatsoever (to someone who has indepth knowledge
> of networking and security, and to someone who didn't, you're leading
> them down the wrong path, IMHO).
>
I've reread it, and while I'll agree that saying that a firewall would
'stop users starting servers' isn't true I'd stand by the rest of it;
Even that's mainly a matter of poor phrasing, a correct version might
be: 'stop users starting servers that can be seen from outside'.
 
> > There's no benefit at all in having iptables send out the RSTs over
> > just letting the main IP stack do it.
> 
> There's numerous benefits to sending ICMP error messages instead of just
> dropping packets. 
Arguable; but not what I said; my point was that if you do want to send
a reset it doesn't matter whether you have a firewall do it or just let
the default closed port behavior do it.

> > Quite true. Also fairly irrelevant; whether the server can't start
> > or the server can't be contacted it's still not-a-server from the
> > point of view of the internet. And firewalling it's a lot less
> > complicated than the alternatives.
> 
> It's relevant in the fact that you explained it wrong and will end up
> confusing people on what the purpose and use of a firewall is.
>
Fair enough, I suppose; I did oversimplify that bit.
 
> > Logging's not so much use on a single user non-server box; you don't
> > need it to tell you what you've been doing, and you don't need to see
> > who's accessing your non-existent servers.
> 
> But, you see, that's what users want to see!  That's the whole point of
> the 'cooltastic' GUI and so on.  They get that bang for their buck 'Oh,
> man, my uber firewall just blocked that hacking attempt!  Sweet!'.
> Obviously, you and I might know better.
> 
And now we can teach them to know better too :-) My take on this is
similar to when people ask about running virus scanners on Linux; there
are a number of reasons why you might want to, but they largely boil
down to linux servers protecting Windows clients. A lot of users come
from a Windows desktop background to a Linux desktop and having had the
necessity of AV, anti-spyware, firewalling etc. drummed into them are
concerned that their new linux system is horribly insecure because it
doesn't have those things. I think the best thing is to tell them that
they can relax because the reason it doesn't have them is because more
or less it doesn't need them.

> > To sum up: iptables is a lot like linux as a whole - you can do lots of
> > really interesting and sometimes useful exotic things with it; but you
> > don't have to, and if you're running a typical single user desktop you
> > probably don't want to. The OP was worrying whether or not they needed a
> > firewall; the flexibility and beauty of the linux networking code not
> > withstanding, the short answer is still 'No, not really'.
> 
> But I think they do.  Firewalling isn't just for large networks;  There
> ARE worms that affect Linux/Unix systems, and hackers WILL attempt to
> use their boxes as a jumping off point (it's Linux, it's run by a
> desktop user, it's perfect for them, both security wise and utility
> wise).
Yes and no; I agree entirely that a vulnerable home box is a worthwhile
target, but in the specific case of an Ubuntu default install there are
no listeners. The only way such a machine can be compromised remotely is
by a bug in the kernel networking code, which is pretty unlikely in the
first place, and firewalling in the kernel (proabably) isn't going to
avoid that. Indeed using iptables involves more and more complex code in
handling incoming packets than not using it, so arguably it increases
the exposure. If on the other hand the user has installed a server then
they're going to have to open a hole in the firewall for it in any case
(yes they could use iptables to only open it up to certain IPs or
somesuch, but I don't get the impression that the OP was in this sort of
position).

I'm arguing on the assumption that we're talking about a basic
everything allowed out, established & related allowed in firewall. On a
system with no listening servers that's pretty much the same as no
firewall at all; I'd be interested to know what sort of rules you think
would be good for a basic desktop box.

> And as Linux grows more and more in the conventional userbase (which
> it is; I'm pretty sure you'd agree that 4 or 5 years ago the messages
> we receive on this mailing list would be quite rare on a Linux user
> mailing list, e.g. simple desktop application usage, etc), 
Indeed. In the time I've been using it it's gone from techy toy, to
techy desktop, to ordinary user desktop. It's been quite amazing to
watch.

>spyware, viruses, etc will become more prevalent on it.
I'm not sure that it's going to happen, but it's certainly a worry. The
Firefox extensions mechanism in particular looks like a likely route;
given how easy it seems to be to get Windows users to install any old
themes, toolbars and what-not the only defense against that on Linux is
educating the users not to be so daft. Firewalling in particular isn't
going to stop that sort of thing since it tends to assume that if the
user asks for something they actually want it.

>It's better to teach someone NOW about how to operate one of the simple
>firewall GUI tools and get them to grasp basic TCP/IP knowledge, then
>after they've been hit.
> 
In an ideal world, but a lot of users don't want to get any further into
it than the XP security centre; "Have you got AV, anti-spyware and a
firewall? Yes. Are they any good? Who knows, who cares.". Porting that
box ticking mentality that says if you've got a firewall you're
protected and safe across to Linux isn't going to help. That said it's
not clear what would.

Ewan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050804/241848b0/attachment.sig>


More information about the ubuntu-users mailing list