Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Hi folks, the other day, I was just wondering why Linux needs a firewall. Linux has all this great configuration files in order to limit the access to a machine ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie mazer's Avatar
    Join Date
    Jul 2006
    Location
    Tucson, Arizona, USA
    Posts
    109

    Why a firewall under Linux


    Hi folks,

    the other day, I was just wondering why Linux needs a firewall. Linux has all this great
    configuration files in order to limit the access to a machine from the outside. Under FC*,
    for example, I can deinstall easily all unnecessary daemons (usually a private person does not need sendmal, bind, httpd, named ......) with yum which helps me to secure my system.
    hosts.allow and host.deny give me also great possibilities to prevent me from any cracker.
    Therefore my question: Why do I need a firewall?

    Mazer

  2. #2
    Linux Guru
    Join Date
    Nov 2004
    Posts
    6,110
    You don't 'need' one but it's a good idea. Think of iptables though. It's not just for closing ports. You can run ssh and block access to some but not all. Granted you can do this in hosts.deny but you can also go further and limit the number of times someone can access. Not everyone has the expertise or inclination to make all of the stops around the system that a firewall can do in one go.

  3. #3
    Linux Newbie mazer's Avatar
    Join Date
    Jul 2006
    Location
    Tucson, Arizona, USA
    Posts
    109
    Quote Originally Posted by bigtomrodney View Post
    You don't 'need' one but it's a good idea. Think of iptables though. It's not just for closing ports. You can run ssh and block access to some but not all. Granted you can do this in hosts.deny but you can also go further and limit the number of times someone can access. Not everyone has the expertise or inclination to make all of the stops around the system that a firewall can do in one go.
    You are right. You have a greater flexibility and I guess (actually I have not setup a firewall yet ) the configuration files are not spread over the entire /etc directory. But somehow, I have also the impression that a firewall encourages not to think about a clear and clean linux setup (I mean on the distribution side). In the old days, I have used Suse
    a lot (5.1 was my first distribution). At this time (I do not know how it is nowadays), they had a lot of daemons running, which were not really necessary (like inted or xinted. I do not even know why I needed that.). Why does a normal user needs to have sendmail installed or nfs? For a network, I can understand that. You have one computer with a perfectly setup firewall and in the back you have the entire network with several computers, which do not need to be configured.

    Mazer

  4. #4
    Linux Guru
    Join Date
    Nov 2004
    Posts
    6,110
    I agree with what you are saying. Distros like Ubuntu come with no services listening. You even need to install sshd seperately. I guess it's just convenience in some distros to leave this stuff running. Then again if you start with some other distros you just about get a running kernel

    I guess it depends on the target audience.

  5. #5
    Just Joined!
    Join Date
    Apr 2007
    Posts
    47
    Quote Originally Posted by mazer View Post
    I was just wondering why Linux needs a firewall.
    1. Sometimes your machine acts as a server (bittorrent, p2p networks etc) If you dont want that on a permanent basis, a firewall permits you to allow/drop these incoming connexions easily.

    2. If you use closed source software, restricting the outgoing connections to the protocols you really need prevents some apps from "calling home"

    3. A firewall protects your machine from ports probing, which, if repeated, can reveal to hackers a vulnerability some day. Your firewall makes your machine stealth, so non-existent for the hacher.

    4. If you are security conscious, a highly configurable firewall (for example Shorewall) permits you to fine-tune your configuration so that you have more control on incoming packets (suspicious flags, martian or invalid packets, route filtering etc)

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    'Security in layers' approach. I've set up workstations (which had no services listening on an external interface) without a firewall in the past.

    Make sure you're aware of what is really listening on your box -- netstat and nmap can help.

  7. #7
    Linux Newbie mazer's Avatar
    Join Date
    Jul 2006
    Location
    Tucson, Arizona, USA
    Posts
    109
    Quote Originally Posted by anomie View Post
    'Security in layers' approach. I've set up workstations (which had no services listening on an external interface) without a firewall in the past.

    Make sure you're aware of what is really listening on your box -- netstat and nmap can help.
    I have just realized that there is already a great permanent thread about this topic from fingal: "A short guide to security". I have still no firewall running but stopped and deinstalled all unnecessary daemons. Nmap just tells me that ssh is open as I have intended. rkhunter and chkrootkit have told me that everything is fine. One can only log into my machine with ssh if he has a key. My box should be pretty secure now, shouldn't it? What would a firewall do additionally? Scan port 22 in order to determine an attack?

    Mazer

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by mazer
    What would a firewall do additionally? Scan port 22 in order to determine an attack?
    It could block subnets you specify from seeing that tcp port 22 is open at all.

  9. #9
    Linux Newbie mazer's Avatar
    Join Date
    Jul 2006
    Location
    Tucson, Arizona, USA
    Posts
    109
    Quote Originally Posted by anomie View Post
    It could block subnets you specify from seeing that tcp port 22 is open at all.
    Couldn't I do that also with hosts.deny?

  10. #10
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Well, tcp_wrappers does offer a similar functionality for the result you want, but it denies subnets on a different level (libwrap.so support gets compiled into the daemon you're running -- in this case sshd). A port scan will still show that tcp port 22 is open. The packet filtering provided by iptables/netfilter can prevent scanners from seeing port 22 as anything but filtered.

    Does it matter? Probably not. If you were a high-profile target you might be interested in throttling connections and traffic shaping with iptables. (Then again, if you were a high-profile target you probably wouldn't be relying on a host-level firewall.)

    I'm not arguing that you should make any changes. I have a server with a similar setup to what you describe: sshd running with pubkey authentication only (and some other tweaks to harden the config) and no packet filtering on that port.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •