Is a firewall really needed?

[jjmac]

but I never use a firewall for linux and havent been threatened...ever! I've used linux about 4 years total (this year, and the rest 2-3 years ago) =]

I can hardly believe what i'm reading here. If all the windows out there were to have implemented strict firwalling from the start ... the net may well have been a very different place. Or maybe the ante might have just been raised.


Sam Liu, ... You say you have never been threatened. You mean you just never knew ....

Install a packet sniffer like 'snort' and configure it to start when you go online. No need to run it other wise. And have a look at its' log in /var/log/snort after your sessions.

You might not see the big fishes when you go swimming in the ocean, but don't ever think they can't see you (very_big_grin.png)

Though, the traffic has dropped off a lot over the last year or so. It doesn't stop quaint occurances like a port scan being performed on your machine that lasts only a couple of milli seconds, but covers a number of your service ports.

Various different groups, from actual companies to auto executing trogens on other machines will actively look for machines they can __use__. Especially for spam distribution and ddos exercises.

By just pinging your box, that can be recorded for future use. It's a bit like sending out a few people to scout a targets defences before deciding whether to invade or move on to another target.


Windows is the OS most at risk of course, but Linux isn't immune to this.

A windows box will blissfully sit there with a spam trogen, sending out mail intermittently, or sending out metered pings to a particular location that its' recieved the address of ... with the user being none the wiser. No sniffer software to log the activity, no firewalling software to do the same ... Ignorance truely does become bliss. Except when it turns back on you ...

Also, a lot of home uses do run a semi server scenario. They may have a MySQL data base at home and access it from time to time, possibly in relation to their work. Or run a home lan with net access.

I wont try to sell you on this, if you seriously think that because nothing 'gross' has obviously occured on your home box, that you have never been touched, then you really do need to look more deeply into security issues and computing.


Just the distribution of spam issue is enough to warrant concern.


The kernel netfilter hooks, as utilised by 'iptables' is a very efficient means of firewalling. Thats why it is there in the kernel and it is the most common back end for all the gui firewall config programs available. Such as 'Guard Dog'.

Install the sniffer and then have another think

jm

[techieMoe]

But why? Say you're running just a web server. The only port any service is listening on is 80, and the daemon is well secured. Aside from helping to protect against a DoS, what can a firewall add to this setup?

I honestly don't know enough about servers to tell you. I'm only arguing that you can't be too careful, and you're always going to be better off with a firewall than without. What you do with your server is your business.

[fingal]

Hi - Personally I run two firewalls on my desktop. One is built into my router, and the other ships with my distro: Shorewall.

I sometimes chat to another Linux person online, and he doesn't use a firewall but he gave me his IP address and I carried out a port scan against him using Nmap ... It came back with an 'all ports filtered' message. That's another way to look at security if you have a bit of trust.

Like people are saying, you can't take anything for granted. If you leave the gate open the black hats will get you imho.

[chm0dvii]

I can hardly believe what i'm reading here. If all the windows out there were to have implemented strict firwalling from the start ... the net may well have been a very different place. Or maybe the ante might have just been raised.


Sam Liu, ... You say you have never been threatened. You mean you just never knew ....

Install a packet sniffer like 'snort' and configure it to start when you go online. No need to run it other wise. And have a look at its' log in /var/log/snort after your sessions.

You might not see the big fishes when you go swimming in the ocean, but don't ever think they can't see you (very_big_grin.png)

Though, the traffic has dropped off a lot over the last year or so. It doesn't stop quaint occurances like a port scan being performed on your machine that lasts only a couple of milli seconds, but covers a number of your service ports.

Various different groups, from actual companies to auto executing trogens on other machines will actively look for machines they can __use__. Especially for spam distribution and ddos exercises.

By just pinging your box, that can be recorded for future use. It's a bit like sending out a few people to scout a targets defences before deciding whether to invade or move on to another target.


Windows is the OS most at risk of course, but Linux isn't immune to this.

A windows box will blissfully sit there with a spam trogen, sending out mail intermittently, or sending out metered pings to a particular location that its' recieved the address of ... with the user being none the wiser. No sniffer software to log the activity, no firewalling software to do the same ... Ignorance truely does become bliss. Except when it turns back on you ...

Also, a lot of home uses do run a semi server scenario. They may have a MySQL data base at home and access it from time to time, possibly in relation to their work. Or run a home lan with net access.

I wont try to sell you on this, if you seriously think that because nothing 'gross' has obviously occured on your home box, that you have never been touched, then you really do need to look more deeply into security issues and computing.


Just the distribution of spam issue is enough to warrant concern.


The kernel netfilter hooks, as utilised by 'iptables' is a very efficient means of firewalling. Thats why it is there in the kernel and it is the most common back end for all the gui firewall config programs available. Such as 'Guard Dog'.

Install the sniffer and then have another think

jm

I totally agree with jjmac. Not only does a firewall block ports, it filters the ones that are open. It looks for certain types of traffic that is consistent with what is known to be hacking or malicious. It is not 100% foolproof, but nothing is in this world. Just like with anything it will surely minimize risks, just as locking your house or car door and using alarms. The point is to minimize risks as much as possible.

[Workaphobia]

Do you all think you're that much safer? It sounds like firewalls are nothing but an extra wall around your house without improving the lock on your door (i.e., the security of the daemon running on your server). Filtering via the content of traffic on a port may be the only valid claim I've heard so far in this thread as far as giving me a reason to care about firewalls; everything else seems to be false peace of mind.

[chm0dvii]

Do you all think you're that much safer? It sounds like firewalls are nothing but an extra wall around your house without improving the lock on your door (i.e., the security of the daemon running on your server). Filtering via the content of traffic on a port may be the only valid claim I've heard so far in this thread as far as giving me a reason to care about firewalls; everything else seems to be false peace of mind.

I totally agree with you, but instead of the firewall being the wall it can actually be the lock on the door. Using this analogy, just as having a really good lock on your door will keep out almost all criminals, a good firewall can help keep out most inexperienced hackers and script kiddies. Now a professional robber could probably eventually break through the lock. But keeping the door unlocked will let any dumbass get in, that can once in wreak havoc on the inside.But this same dumbass criminal would otherwise not been smart enough to break through the door. This is not to say that it will protect %100.00, but a properly configured firewall or "lock" will keep out %99.5 percent. Just like a safe will keep out almost all criminals, but a professional safecracker with enough time can get into it. But at this point there better be something worth while in that safe or they would not waste their time. The point here is just to minimize the risks as much as possible. Also some firewalls are better than others just as some locks and doors are better than others, e.g., a good deadbolt as opposed to a regular door knob lock. Always assume that your computer or "house" could be a target and keep on top of things and your chances will decrease dramatically.

[fldavem]

OK, so all that being said about it being prudent to run a firewall on your linux desktop, does anyone have any suggestions for a COMPLETE NEWBIE. I've installed Suse10.1 and is there some free linux software firewall you'd all suggest?
Or, how does one configure the iptables ( someone suggested iptables -t nat -P PREROUTING DROP)? Again, this is for a a COMPLETE NEWBIE, though while using windows they call me a senior software engineer - it just happens to be in C!!!

Thanks!

[chm0dvii]

OK, so all that being said about it being prudent to run a firewall on your linux desktop, does anyone have any suggestions for a COMPLETE NEWBIE. I've installed Suse10.1 and is there some free linux software firewall you'd all suggest?
Or, how does one configure the iptables ( someone suggested iptables -t nat -P PREROUTING DROP)? Again, this is for a a COMPLETE NEWBIE, though while using windows they call me a senior software engineer - it just happens to be in C!!!

Thanks!

Sure, if you prefer gui interfaces, here are a few. In any instance these utilities are essentially just configuring iptables for you in the background and creating rule sets. The first one is a GNOME based gui, but you can run it from KDE, as long as you have at least the GNOME base packages installed...
http://www.fs-security.com/
http://www.fwbuilder.org/
http://seawall.sourceforge.net/
http://www.shorewall.net/
http://muse.linuxmafia.org/gshield/

As for configuring iptables/ipchains yourself...
http://www.linuxsecurity.com/resourc...-tutorial.html

As for hardening your system...

Originally written by the NSA, one of the best kernel modules...

http://www.nsa.gov/selinux/
http://selinux.sourceforge.net/

Also for hardening your system...

http://www.bastille-linux.org/

[Dark_Stang]

I don't run a firewall... It's not because I'm lazy though. I'm on a Cisco VPN so I can't use a firewall.

Note: If anybody knows of a firewall that works under a VPN, let me know. I might start using it.