securing Ubuntu and firewall

Sat Feb 25 16:25:15 UTC 2006

On Saturday, 25 February 2006 06:03, H.S. wrote:
> John Richard Moser wrote:
> > you don't need a firewall unless you installed something nasty. 
> > Ubuntu doesn't open ports by default on the outside.
>
> Can somebody else confirm this? I personally don't think that is
> true. When I checked using "iptables -nvL" command on my friend's
> computer, his INCOMING, FORWARD and OUTGOING policies were all
> ACCEPT. The system is relatively a new install of Ubuntu. So it
> appears all ports were actually left open since the installation.
>
> Moreover, I would rather have a firewall no matter if I have "nasty
> programs" (whatever that means) or not. It is just being cautious.

First, we should get our terminology right. The Linux kernel doesn't 
implement a firewall, it's a packet filter. So you can't do 
intelligent firewalling related to the content of what's in a packet, 
you can only ACCEPT or REJECT a packet based on the IP protocol, 
port, source/destination address, related to an already accepted 
connection, etc.

Running iptables on a workstation with the view to closing all ports 
except the few you want open gives you exactly ZERO extra security. 
Don't be lulled by the magic word FIREWALL! Ports are open and 
accepting connections only if software is running that opened the 
connection. So I can send a packet to TCP port 22 on your machine and 
if you are not running sshd your kernel will drop the packet. Please 
note that this is exactly the behaviour you will get from an iptables 
rule. This isn't Windows-land, we don't have a kernel that insists it 
must open every port under the sun with no real way to switch it off, 
so we don't need 

Implementing a real iptables rule set is amazingly hard, way beyond 
the abilities of most desktop users (and way beyond the abilities of 
many administrators too). In practise what you find happening is that 
if sshd is running, then all TCP port 22 traffic is allowed as well. 
The second step is redundant and if implemented causes untold amounts 
of bug reports and support calls. The far better solution is a tool 
that displays running programs and which ports they have opened. If 
an unwanted port is open, then stop the service using the port, 
remove it from the runlevels, and in the case of KDE/Gnome change the 
configuration to not use those ports.

Ubuntu doesn't install a packet filter for all these reasons, it just 
doesn't enable any services by default. This is no more and no less 
secure than a simple iptables rule set, and a lot easier to manage 
with a GUI tool. The one place where it might seem iptables would be 
good is to allow say sshd connections only from specified hosts or 
networks. But on a workstation this is far easier to do with xinetd 
and tcpwrappers

iptables has it's place, as a dedicated firewalling machine on a 
gateway, protecting all machines on the LAN behind it. Then you get 
extra nice features like NAT and mangling.

Finally, to anyone that says they would like a GUI front-end to 
iptables, I recommend you try and implement one. By the time you are 
finished you end up with a dialog that is so full of checkboxes and 
options you might as well start vi and edit the script by hand. If 
you are unlucky you will simply open ports at random to get stuff to 
work (and effectively waste your time). If you are lucky, you will 
realise what you are up against and reimplement it as a tcp wrappers 
front-end which is quite easy to do (see above for why this is a good 
idea).

-- 
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five