Clearing up some security "jargon"

[Wade Smart]

20080614 1115 GMT-6

Paul, Im glad your getting into this because this has been confusing to me ever 
since moving to ubuntu.

Your explanation seems to fit what I have observed: when I start firestarter so 
I can easily open or close a port, if I close firestarter the port remains open 
and if I forget to start firestarter I notice the port isnt open so, a firewall 
seems to be working all the time no matter what.

Im not good on the cmd line so I like gui apps. Firestarter is easy for me to 
use in my simple situations.

Thanks for going through the trouble.

Wade


Paul Johnson wrote:
> Today appears to be my day to try to clear up my list of New Ubuntu
> User questions.  Sorry to litter your mailbox, but I think these are
> good questions (humble, yes, but manly too :) )
> 
> I'm backtracking to try to understand more clearly what "ufw"
> "firestarter" and iptables do.  I've been reading so many posts and
> documents about this, and I've reached the conclusion that most people
> don't really understand what they are talking about.
> 
> Here's what I think is correct.
> 
> 1. The kernel supplies the iptables service, which is by default,
> always ON in Ubuntu installations, and it blocks incoming connections
> on all ports.
> 
> There is no need to "turn on" a firewall.  There is a system-wide
> firewall already.
> 
> If one installs a package such as openssh-server, it would like to
> receive messages on port 22, but they will not be allowed unless the
> user takes some action to allow that connection into the machine.
> 
> 2. Consider the package "ufw", a tool that some people say can
> enable/disable a "firewall". But it doesn't really do that. It can
> tell the kernel iptables framework what special settings to use in
> administering the iptables service.  ufw is not really a "firewall",
> rather, it is a pretty simple tool to set rules for iptables.  In ufw,
> 
>  https://wiki.ubuntu.com/UbuntuFirewall
> 
> It says one can "turn the firewall on and off"
> 
> sudo ufw enable
> 
> But I'm thinking that is a mis-statement.  The iptables firewall is
> ALWAYS enabled, the iptables service is running unless the user has
> run something to kill it.  In Fedora, one would kill it by
> "/sbin/service iptables stop".  In Ubuntu, I don't find a convenient
> way to stop iptables.  It might be better to say the "exceptions to
> the security policy configured in the ufw framework are activated"
> when  you run "ufw enable".
> 
> Right?
> 
> If I type "ufw disable" I'm not actually disabling the iptables
> framework, am I? I'm turning off the exceptions created by ufw.
> 
> Right?
> 
> 3. Consider Firestarter.  Again, the conversations about this seem
> somewhat misleading.  Firestarter is not "a firewall", it is a tool
> that can open up ports in your pre-existing iptables firewall.
> Firestarter can operate on 2 levels.
> 
> 1. Run firewall as root (sudo firestarter) and make configuration
> changes in system-wide policies.  Allow in port 22 for ssh.  This will
> apply for all users.  After you close that up, firestarter does the
> same thing that ufw will do, it will tell the iptables framework to
> allow in connections on port 22.
> 
> 2. If you run sudo firewall and leave the gui open, it can serve this
> second role as a "personal firewall", which I gather is a MS Windows
> concept.  Here, the firestarter graphical interface is running all the
> time, monitoring the iptables firewall, and so when efforts are made
> to open ports, the "blocked" programs and IP addresses appear in the
> little window.  Since you are running as root (sudo), you have the
> power to let those people/programs in.  This is a "personal firewall"
> in the sense that you are letting the connetions in only for that  one
> user, not for all users on the system.
> 
> Well, this may seem pedantic, but it is important to me to really
> understand this because I'm about to convert a lot of machines from
> Fedora to Ubuntu.
> 
>