securing Ubuntu and firewall
Alan McKinnon
alan at linuxholdings.co.za
Sat Feb 25 16:25:15 UTC 2006
On Saturday, 25 February 2006 06:03, H.S. wrote:
> John Richard Moser wrote:
> > you don't need a firewall unless you installed something nasty.
> > Ubuntu doesn't open ports by default on the outside.
>
> Can somebody else confirm this? I personally don't think that is
> true. When I checked using "iptables -nvL" command on my friend's
> computer, his INCOMING, FORWARD and OUTGOING policies were all
> ACCEPT. The system is relatively a new install of Ubuntu. So it
> appears all ports were actually left open since the installation.
>
> Moreover, I would rather have a firewall no matter if I have "nasty
> programs" (whatever that means) or not. It is just being cautious.
First, we should get our terminology right. The Linux kernel doesn't
implement a firewall, it's a packet filter. So you can't do
intelligent firewalling related to the content of what's in a packet,
you can only ACCEPT or REJECT a packet based on the IP protocol,
port, source/destination address, related to an already accepted
connection, etc.
Running iptables on a workstation with the view to closing all ports
except the few you want open gives you exactly ZERO extra security.
Don't be lulled by the magic word FIREWALL! Ports are open and
accepting connections only if software is running that opened the
connection. So I can send a packet to TCP port 22 on your machine and
if you are not running sshd your kernel will drop the packet. Please
note that this is exactly the behaviour you will get from an iptables
rule. This isn't Windows-land, we don't have a kernel that insists it
must open every port under the sun with no real way to switch it off,
so we don't need
Implementing a real iptables rule set is amazingly hard, way beyond
the abilities of most desktop users (and way beyond the abilities of
many administrators too). In practise what you find happening is that
if sshd is running, then all TCP port 22 traffic is allowed as well.
The second step is redundant and if implemented causes untold amounts
of bug reports and support calls. The far better solution is a tool
that displays running programs and which ports they have opened. If
an unwanted port is open, then stop the service using the port,
remove it from the runlevels, and in the case of KDE/Gnome change the
configuration to not use those ports.
Ubuntu doesn't install a packet filter for all these reasons, it just
doesn't enable any services by default. This is no more and no less
secure than a simple iptables rule set, and a lot easier to manage
with a GUI tool. The one place where it might seem iptables would be
good is to allow say sshd connections only from specified hosts or
networks. But on a workstation this is far easier to do with xinetd
and tcpwrappers
iptables has it's place, as a dedicated firewalling machine on a
gateway, protecting all machines on the LAN behind it. Then you get
extra nice features like NAT and mangling.
Finally, to anyone that says they would like a GUI front-end to
iptables, I recommend you try and implement one. By the time you are
finished you end up with a dialog that is so full of checkboxes and
options you might as well start vi and edit the script by hand. If
you are unlucky you will simply open ports at random to get stuff to
work (and effectively waste your time). If you are lucky, you will
realise what you are up against and reimplement it as a tcp wrappers
front-end which is quite easy to do (see above for why this is a good
idea).
--
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
More information about the ubuntu-users
mailing list