Dax Solomon Umaming
knightlust at ubuntu.com
Fri Oct 17 08:32:42 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Here's a good explanation(or argument) on whether you need to configure
Yes, by default there are no iptable rules set and everything is allowed
to leave or enter IP stack. On the other hand, by default there are no
services listening on the network interface - there are some listening
on loopback but they can only be reached from the machine itself.
So, if I wanted to own your box I could not use vulnerabilities in any
daemons and would have to find a flaw in the kernel's IP stack and do an
attack against it - most likely buffer overflow. It is not completely
unheard of to have these kinds of vulnerabilities in kernel but I have
not seen them in a long while. Exploiting these should they surface
would not be a trivial task either.
Now, if you wan to be really paranoid, you could drop/reject everything
coming in before it even reaches IP stack. You would be protected in the
off-chance that such a kernel flaw is discovered. On another hand, if
you enable netfilter code in kernel - this is what you do when you use
iptables - you are opening itself up to a possible compromise of
netfilter code itself. Again, I do not remember seing netfilter bugs
that would lead to a possibility of a compromise, all bugs that I have
seen would lead to either letting some packets through that it should
not have let through or blocking packets that should not have been
blocked. Nevertheless, there is a theoretical possibility that
remote-root-compromise type bugs in netfilter do exist and are just
waiting to be discovered.
So, from a pure security standpoint it boils down to what part of Linux
kernel code you trust more - IP stack or netfilter. Pretty tough call to
There is also a pretty popular myth that when you drop all unsolicited
incoming packes, you become "invisible" on the internet. This is not
really true. You do become somewhat "stealthy" but by no means
invisible. There are numerous ways to discover if IP address is alive
besides ping. From obvious - "I have just received HTTP request from
you, you must be there" to not so-obvious like sniffing a traffic on the
net and seing packets going back and forth between you and some other
machine. Depending on how your upstream router is configured, pinging
you and getting no responce could actually mean that you are alive
because otherwise upstream router would send ICMP host unreachable back.
Actually, about half of the routers on the internet will do it.
The point is I was trying to make is "why bother?"
Now that I have proven beyound any doubt that firewalls are utterly
unnecessary , let's see why it is worth bothering.
What if I install foo-server that by default allows anybody do connect
and do stuff, i.e MySQL root password is empty by default and it will
listen on all interfaces unless you change config? Will I remember to
uninstall/stop/disable/reconfigure it after - or before - I am done
playing? If you have firewall rules defined, it does not matter that
much. It will not be exposed unless you go and change your firewall config.
There is a bazillion other reasons when you do want to have a firewall
running. The problem for any distribution that wants to enable firewall
by default is that it would have to come up with default set of rules
that would seem "reasonable" for most people. The Ubuntu solution was to
have no listening ports and no firewall rules in default install. It is
a very secure setup. If you want to add/remove/change software,
espasially servers, it is assumed that you should have some
understanding of what you are doing.
- - vybegallo
Dax Solomon Umaming
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-users