Results 1 to 10 of 11
Thread: Why a firewall under Linux
Enjoy an ad free experience by logging in. Not a member yet? Register.
Why a firewall under Linux
the other day, I was just wondering why Linux needs a firewall. Linux has all this great
configuration files in order to limit the access to a machine from the outside. Under FC*,
for example, I can deinstall easily all unnecessary daemons (usually a private person does not need sendmal, bind, httpd, named ......) with yum which helps me to secure my system.
hosts.allow and host.deny give me also great possibilities to prevent me from any cracker.
Therefore my question: Why do I need a firewall?
You don't 'need' one but it's a good idea. Think of iptables though. It's not just for closing ports. You can run ssh and block access to some but not all. Granted you can do this in hosts.deny but you can also go further and limit the number of times someone can access. Not everyone has the expertise or inclination to make all of the stops around the system that a firewall can do in one go.
a lot (5.1 was my first distribution). At this time (I do not know how it is nowadays), they had a lot of daemons running, which were not really necessary (like inted or xinted. I do not even know why I needed that.). Why does a normal user needs to have sendmail installed or nfs? For a network, I can understand that. You have one computer with a perfectly setup firewall and in the back you have the entire network with several computers, which do not need to be configured.
I agree with what you are saying. Distros like Ubuntu come with no services listening. You even need to install sshd seperately. I guess it's just convenience in some distros to leave this stuff running. Then again if you start with some other distros you just about get a running kernel
I guess it depends on the target audience.
- Join Date
- Apr 2007
2. If you use closed source software, restricting the outgoing connections to the protocols you really need prevents some apps from "calling home"
3. A firewall protects your machine from ports probing, which, if repeated, can reveal to hackers a vulnerability some day. Your firewall makes your machine stealth, so non-existent for the hacher.
4. If you are security conscious, a highly configurable firewall (for example Shorewall) permits you to fine-tune your configuration so that you have more control on incoming packets (suspicious flags, martian or invalid packets, route filtering etc)
'Security in layers' approach. I've set up workstations (which had no services listening on an external interface) without a firewall in the past.
Make sure you're aware of what is really listening on your box -- netstat and nmap can help.
08-03-2007 #8Originally Posted by mazer
Well, tcp_wrappers does offer a similar functionality for the result you want, but it denies subnets on a different level (libwrap.so support gets compiled into the daemon you're running -- in this case sshd). A port scan will still show that tcp port 22 is open. The packet filtering provided by iptables/netfilter can prevent scanners from seeing port 22 as anything but filtered.
Does it matter? Probably not. If you were a high-profile target you might be interested in throttling connections and traffic shaping with iptables. (Then again, if you were a high-profile target you probably wouldn't be relying on a host-level firewall.)
I'm not arguing that you should make any changes. I have a server with a similar setup to what you describe: sshd running with pubkey authentication only (and some other tweaks to harden the config) and no packet filtering on that port.