Clearing up some security "jargon"

Steve Lamb grey at dmiyu.org
Tue Jun 17 16:40:41 UTC 2008 

On Tue, June 17, 2008 9:03 am, Paul Johnson wrote:
> 1. The kernel supplies the iptables service, which is by default,
> always ON in Ubuntu installations, and it blocks incoming connections
> on all ports.

    I do not believe this is correct.  Iptables might be there but it is not
set to DENY by default.  If that were the case every install of Ubuntu
that I have performed in the past year or so would have not been able to
connect on my LAN without any intervention on my part.

> But I'm thinking that is a mis-statement.  The iptables firewall is
> ALWAYS enabled, the iptables service is running unless the user has
> run something to kill it.

    It isn't a service.  They are rules that the packets pass through in the
networking layer of the kernel.  In the example you provided from Fedora
what they are probably doing are saving the rules (iptables-dump?) and
then clearing them so all traffic comes through in the clear.

> 3. Consider Firestarter.  Again, the conversations about this seem
> somewhat misleading.  Firestarter is not "a firewall", it is a tool
> that can open up ports in your pre-existing iptables firewall.
> Firestarter can operate on 2 levels.

    I'm going to break from here.  I think you're confusing the technical
with the vernacular.  Firestarter, Shorewall and several other packages
are indeed firewalls.  They are software which you use to configure what
traffic is or is not allowed onto the box.  Technically speaking they
are configuring the iptables rules which dictate the behavior of that
layer.  So you're right in the sense that they are not providing the
filtering functionality themselves.  On the other hand unless you hand
craft your iptables rules you don't have a firewall, either.

    So yes, technically, Firestarter, Shorewall et al are not "firewalls" in
and of themselves.  Technically the functionality is provided by
iptables.  However iptables isn't a firewall itself.  It is the
application of specific rules to iptables which provides what people
consider a firewall.  Firestarter, et al, provide a front-end for
configuring those rules hence, in layman's understanding, they are
"Firewalls" since without them (and absent handcrafted rules) iptables
would not a firewall make.

-- 
Steve Lamb

More information about the ubuntu-users mailing list