Clearing up some security "jargon"

Paul Johnson pauljohn32 at gmail.com
Tue Jun 17 16:03:08 UTC 2008


Today appears to be my day to try to clear up my list of New Ubuntu
User questions.  Sorry to litter your mailbox, but I think these are
good questions (humble, yes, but manly too :) )

I'm backtracking to try to understand more clearly what "ufw"
"firestarter" and iptables do.  I've been reading so many posts and
documents about this, and I've reached the conclusion that most people
don't really understand what they are talking about.

Here's what I think is correct.

1. The kernel supplies the iptables service, which is by default,
always ON in Ubuntu installations, and it blocks incoming connections
on all ports.

There is no need to "turn on" a firewall.  There is a system-wide
firewall already.

If one installs a package such as openssh-server, it would like to
receive messages on port 22, but they will not be allowed unless the
user takes some action to allow that connection into the machine.

2. Consider the package "ufw", a tool that some people say can
enable/disable a "firewall". But it doesn't really do that. It can
tell the kernel iptables framework what special settings to use in
administering the iptables service.  ufw is not really a "firewall",
rather, it is a pretty simple tool to set rules for iptables.  In ufw,

 https://wiki.ubuntu.com/UbuntuFirewall

It says one can "turn the firewall on and off"

sudo ufw enable

But I'm thinking that is a mis-statement.  The iptables firewall is
ALWAYS enabled, the iptables service is running unless the user has
run something to kill it.  In Fedora, one would kill it by
"/sbin/service iptables stop".  In Ubuntu, I don't find a convenient
way to stop iptables.  It might be better to say the "exceptions to
the security policy configured in the ufw framework are activated"
when  you run "ufw enable".

Right?

If I type "ufw disable" I'm not actually disabling the iptables
framework, am I? I'm turning off the exceptions created by ufw.

Right?

3. Consider Firestarter.  Again, the conversations about this seem
somewhat misleading.  Firestarter is not "a firewall", it is a tool
that can open up ports in your pre-existing iptables firewall.
Firestarter can operate on 2 levels.

1. Run firewall as root (sudo firestarter) and make configuration
changes in system-wide policies.  Allow in port 22 for ssh.  This will
apply for all users.  After you close that up, firestarter does the
same thing that ufw will do, it will tell the iptables framework to
allow in connections on port 22.

2. If you run sudo firewall and leave the gui open, it can serve this
second role as a "personal firewall", which I gather is a MS Windows
concept.  Here, the firestarter graphical interface is running all the
time, monitoring the iptables firewall, and so when efforts are made
to open ports, the "blocked" programs and IP addresses appear in the
little window.  Since you are running as root (sudo), you have the
power to let those people/programs in.  This is a "personal firewall"
in the sense that you are letting the connetions in only for that  one
user, not for all users on the system.

Well, this may seem pedantic, but it is important to me to really
understand this because I'm about to convert a lot of machines from
Fedora to Ubuntu.


-- 
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas




More information about the ubuntu-users mailing list