Clearing up some security "jargon"
Wade Smart
wadesmart at gmail.com
Tue Jun 17 16:18:43 UTC 2008
20080614 1115 GMT-6
Paul, Im glad your getting into this because this has been confusing to me ever
since moving to ubuntu.
Your explanation seems to fit what I have observed: when I start firestarter so
I can easily open or close a port, if I close firestarter the port remains open
and if I forget to start firestarter I notice the port isnt open so, a firewall
seems to be working all the time no matter what.
Im not good on the cmd line so I like gui apps. Firestarter is easy for me to
use in my simple situations.
Thanks for going through the trouble.
Wade
Paul Johnson wrote:
> Today appears to be my day to try to clear up my list of New Ubuntu
> User questions. Sorry to litter your mailbox, but I think these are
> good questions (humble, yes, but manly too :) )
>
> I'm backtracking to try to understand more clearly what "ufw"
> "firestarter" and iptables do. I've been reading so many posts and
> documents about this, and I've reached the conclusion that most people
> don't really understand what they are talking about.
>
> Here's what I think is correct.
>
> 1. The kernel supplies the iptables service, which is by default,
> always ON in Ubuntu installations, and it blocks incoming connections
> on all ports.
>
> There is no need to "turn on" a firewall. There is a system-wide
> firewall already.
>
> If one installs a package such as openssh-server, it would like to
> receive messages on port 22, but they will not be allowed unless the
> user takes some action to allow that connection into the machine.
>
> 2. Consider the package "ufw", a tool that some people say can
> enable/disable a "firewall". But it doesn't really do that. It can
> tell the kernel iptables framework what special settings to use in
> administering the iptables service. ufw is not really a "firewall",
> rather, it is a pretty simple tool to set rules for iptables. In ufw,
>
> https://wiki.ubuntu.com/UbuntuFirewall
>
> It says one can "turn the firewall on and off"
>
> sudo ufw enable
>
> But I'm thinking that is a mis-statement. The iptables firewall is
> ALWAYS enabled, the iptables service is running unless the user has
> run something to kill it. In Fedora, one would kill it by
> "/sbin/service iptables stop". In Ubuntu, I don't find a convenient
> way to stop iptables. It might be better to say the "exceptions to
> the security policy configured in the ufw framework are activated"
> when you run "ufw enable".
>
> Right?
>
> If I type "ufw disable" I'm not actually disabling the iptables
> framework, am I? I'm turning off the exceptions created by ufw.
>
> Right?
>
> 3. Consider Firestarter. Again, the conversations about this seem
> somewhat misleading. Firestarter is not "a firewall", it is a tool
> that can open up ports in your pre-existing iptables firewall.
> Firestarter can operate on 2 levels.
>
> 1. Run firewall as root (sudo firestarter) and make configuration
> changes in system-wide policies. Allow in port 22 for ssh. This will
> apply for all users. After you close that up, firestarter does the
> same thing that ufw will do, it will tell the iptables framework to
> allow in connections on port 22.
>
> 2. If you run sudo firewall and leave the gui open, it can serve this
> second role as a "personal firewall", which I gather is a MS Windows
> concept. Here, the firestarter graphical interface is running all the
> time, monitoring the iptables firewall, and so when efforts are made
> to open ports, the "blocked" programs and IP addresses appear in the
> little window. Since you are running as root (sudo), you have the
> power to let those people/programs in. This is a "personal firewall"
> in the sense that you are letting the connetions in only for that one
> user, not for all users on the system.
>
> Well, this may seem pedantic, but it is important to me to really
> understand this because I'm about to convert a lot of machines from
> Fedora to Ubuntu.
>
>
More information about the ubuntu-users
mailing list