Clearing up some security "jargon"

Tue Jun 17 16:42:25 UTC 2008

Paul Johnson wrote:

> Here's what I think is correct.
> 
> 1. The kernel supplies the iptables service, which is by default,
> always ON in Ubuntu installations, and it blocks incoming connections
> on all ports.

No.  I believe the default iptables config is:
# sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

That is, nothing...  By default, Ubuntu has no externally accessible
services.

> There is no need to "turn on" a firewall.  There is a system-wide
> firewall already.

So, no...
> 
> If one installs a package such as openssh-server, it would like to
> receive messages on port 22, but they will not be allowed unless the
> user takes some action to allow that connection into the machine.

No.  If you install openssh-server, you should be able to use it
immediately.

> 2. Consider the package "ufw", a tool that some people say can
> enable/disable a "firewall". But it doesn't really do that. It can
> tell the kernel iptables framework what special settings to use in
> administering the iptables service.  ufw is not really a "firewall",
> rather, it is a pretty simple tool to set rules for iptables.  In ufw,

That pretty well defines _all_ linux firewall tools, but it _does_
enable/disable the firewall, because the default for iptables is "off".

> It says one can "turn the firewall on and off"
> 
> sudo ufw enable
> 
> But I'm thinking that is a mis-statement.  The iptables firewall is
> ALWAYS enabled, the iptables service is running unless the user has
> run something to kill it.  In Fedora, one would kill it by
> "/sbin/service iptables stop". 

I don't think so - all _that_ does, on the systems where I've had it, is
turn off all the iptables rules.  The iptables filtering would be disabled
completely by "sudo rmmod ip_tables", but nobody would want to do that...

> In Ubuntu, I don't find a convenient 
> way to stop iptables.  

# sudo ufw disable

> It might be better to say the "exceptions to 
> the security policy configured in the ufw framework are activated"
> when  you run "ufw enable".
> 
> Right?
> 
> If I type "ufw disable" I'm not actually disabling the iptables
> framework, am I? I'm turning off the exceptions created by ufw.

Does it matter?

> 3. Consider Firestarter.  

OK, I will - it seems to have gained a bunch of functionality since I last
considered it.

> Well, this may seem pedantic, but it is important to me to really
> understand this because I'm about to convert a lot of machines from
> Fedora to Ubuntu.

It's the same software, sometimes with different front-end commands.  It
will make _no_ difference to the way the firewall works.  
-- 
derek