And another Ubuntu convert!

Mark Kirkwood markir at paradise.net.nz
Sat Jan 24 20:45:22 UTC 2009 

Derek Broughton wrote:
> Mark Kirkwood wrote:
>
>   
>> Derek Broughton wrote:
>>     
>
>   
>>>> - use a firewall
>>>>         
>>> Mostly not necessary either - if you don't have servers, you don't need a
>>> firewall.  Which is why Ubuntu Desktop versions don't install one.
>>>
>>>       
>> If you are using a DSL router, then most have one anyway. It is wise to
>> leave it on - another layer of security to protect you (especially if
>> you do wish to enable remote access - say from work to your machine at
>> home, you can configure the firewall to only allow connection attempts
>> from your work ip range - again, another layer of safety in case of an
>> unknown ssh vulnerability).
>>     
>
> That, of course, means you're operating a server of some sort - and 
> absolutely you need firewalls when you do that.
>   

Of course running connection accepting daemons means you are technically 
running a server. However these days the distinction is somewhat blurred 
- most people either have a web-server or openssh-server on their 
workstation, so need a firewall. Unfortunately it is often the case that 
folks may not be aware that they have (for example) either of these 
running - either because they enabled it ages ago (temporarily!) and 
forgot to disable it again, or they didn't notice that it got installed 
as a dependency for some other package they installed.

So again, wise to run one - unless you are *sure* you have no server 
daemons running. I recommend scanning yourself with nmap to be sure, or 
visiting https://www.grc.com/x/ne.dll?bh0bkyd2 to get yourself scanned 
for open ports.

>>>> - use a script blocker like noscript in your browser
>>>>     
>>>>         
>>> That's really, really, pointless.  The fact is, if you turn off
>>> scripting,
>>> you lose most of the functionality of the web.  Even if you just make it
>>> prompt before running scripts you'll be driven crazy.  I'd far rather
>>> block specific domains (like adblock).
>>>       
>> Hmm, couldn't disagree more - I was referring to a configurable blocker 
>> (like Noscript in Firefix) - this is probably one of the best ways to
>> protect yourself whilst browsing. Most sites work well enough for you to
>> decide whether or not to trust them by allowing any scripts.
>>     
>
> Unless your browser has vulnerabilities, script isn't supposed to be able to 
> do anything harmful (activex, of course, is just one huge vulnerability).  
> Having a script blocker asking  whether it can run scripts every time you 
> come to a new site ruins the experience of the web, for little value.  I 
> don't _want_ to have to decide whether to trust scripts on every site, and I 
> absolutely don't  believe I need to.
>
>
>
>
>   

I agree that a browser *shouldn't* be able to do anything harmful and 
you *shouldn't* need to have to make decisions about site safety. 
However the current state of affairs seems to be that browsers can - see:

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

Admittedly these get patched very quickly these days, but there is 
always a window of vulnerability. So you really have to assume that the 
internet is a midely hostile environment.


regards

Mark

More information about the ubuntu-users mailing list