Firewall

dataw0lf digitalsuicide at gmail.com
Thu Aug 4 18:55:00 UTC 2005


Ewan Mac Mahon wrote:

> Arguable; but not what I said; my point was that if you do want to send
> a reset it doesn't matter whether you have a firewall do it or just let
> the default closed port behavior do it.

I'm talking icmp error messages here.  Check --reject-with in the
iptables man page.

> And now we can teach them to know better too :-) My take on this is
> similar to when people ask about running virus scanners on Linux; there
> are a number of reasons why you might want to, but they largely boil
> down to linux servers protecting Windows clients. A lot of users come
> from a Windows desktop background to a Linux desktop and having had the
> necessity of AV, anti-spyware, firewalling etc. drummed into them are
> concerned that their new linux system is horribly insecure because it
> doesn't have those things. I think the best thing is to tell them that
> they can relax because the reason it doesn't have them is because more
> or less it doesn't need them.

Well, after seeing Bruce Potter's painful yet informative talks at
BlackHat and DefCon regarding Linux security this year, I could probably
make an argument against Linux security ;) (not that I'd want to)

> I'm arguing on the assumption that we're talking about a basic
> everything allowed out, established & related allowed in firewall. On a
> system with no listening servers that's pretty much the same as no
> firewall at all; I'd be interested to know what sort of rules you think
> would be good for a basic desktop box.

I'm actually working on those in tandem with my next Networking HOWTO on
the Forums.  I'll privately email you the link when I'm finished.

> I'm not sure that it's going to happen, but it's certainly a worry. The
> Firefox extensions mechanism in particular looks like a likely route;
> given how easy it seems to be to get Windows users to install any old
> themes, toolbars and what-not the only defense against that on Linux is
> educating the users not to be so daft. Firewalling in particular isn't
> going to stop that sort of thing since it tends to assume that if the
> user asks for something they actually want it.

Think outgoing traffic.


> In an ideal world, but a lot of users don't want to get any further into
> it than the XP security centre; "Have you got AV, anti-spyware and a
> firewall? Yes. Are they any good? Who knows, who cares.". Porting that
> box ticking mentality that says if you've got a firewall you're
> protected and safe across to Linux isn't going to help. That said it's
> not clear what would.

Which I never said anything of the sort.  However, a firewall is a part
of most any security plan (desktop clients or servers, Windows or Unix,
etc).

-- 

Joshua Simpson -- dataw0lf.org
Lead Network Administrator/Engineer Aero-Graphics Inc.
jsimpson at aero-graphics.com




More information about the ubuntu-users mailing list