Why a firewall under Linux

[mazer]

Hi folks,

the other day, I was just wondering why Linux needs a firewall. Linux has all this great
configuration files in order to limit the access to a machine from the outside. Under FC*,
for example, I can deinstall easily all unnecessary daemons (usually a private person does not need sendmal, bind, httpd, named ......) with yum which helps me to secure my system.
hosts.allow and host.deny give me also great possibilities to prevent me from any cracker.
Therefore my question: Why do I need a firewall?

Mazer

[bigtomrodney]

You don't 'need' one but it's a good idea. Think of iptables though. It's not just for closing ports. You can run ssh and block access to some but not all. Granted you can do this in hosts.deny but you can also go further and limit the number of times someone can access. Not everyone has the expertise or inclination to make all of the stops around the system that a firewall can do in one go.

[mazer]

You don't 'need' one but it's a good idea. Think of iptables though. It's not just for closing ports. You can run ssh and block access to some but not all. Granted you can do this in hosts.deny but you can also go further and limit the number of times someone can access. Not everyone has the expertise or inclination to make all of the stops around the system that a firewall can do in one go.

You are right. You have a greater flexibility and I guess (actually I have not setup a firewall yet ) the configuration files are not spread over the entire /etc directory. But somehow, I have also the impression that a firewall encourages not to think about a clear and clean linux setup (I mean on the distribution side). In the old days, I have used Suse
a lot (5.1 was my first distribution). At this time (I do not know how it is nowadays), they had a lot of daemons running, which were not really necessary (like inted or xinted. I do not even know why I needed that.). Why does a normal user needs to have sendmail installed or nfs? For a network, I can understand that. You have one computer with a perfectly setup firewall and in the back you have the entire network with several computers, which do not need to be configured.

Mazer

[bigtomrodney]

I agree with what you are saying. Distros like Ubuntu come with no services listening. You even need to install sshd seperately. I guess it's just convenience in some distros to leave this stuff running. Then again if you start with some other distros you just about get a running kernel

I guess it depends on the target audience.

[g.ivannov]

I was just wondering why Linux needs a firewall.

1. Sometimes your machine acts as a server (bittorrent, p2p networks etc) If you dont want that on a permanent basis, a firewall permits you to allow/drop these incoming connexions easily.

2. If you use closed source software, restricting the outgoing connections to the protocols you really need prevents some apps from "calling home"

3. A firewall protects your machine from ports probing, which, if repeated, can reveal to hackers a vulnerability some day. Your firewall makes your machine stealth, so non-existent for the hacher.

4. If you are security conscious, a highly configurable firewall (for example Shorewall) permits you to fine-tune your configuration so that you have more control on incoming packets (suspicious flags, martian or invalid packets, route filtering etc)

[anomie]

'Security in layers' approach. I've set up workstations (which had no services listening on an external interface) without a firewall in the past.

Make sure you're aware of what is really listening on your box -- netstat and nmap can help.

[mazer]

'Security in layers' approach. I've set up workstations (which had no services listening on an external interface) without a firewall in the past.

Make sure you're aware of what is really listening on your box -- netstat and nmap can help.

I have just realized that there is already a great permanent thread about this topic from fingal: "A short guide to security". I have still no firewall running but stopped and deinstalled all unnecessary daemons. Nmap just tells me that ssh is open as I have intended. rkhunter and chkrootkit have told me that everything is fine. One can only log into my machine with ssh if he has a key. My box should be pretty secure now, shouldn't it? What would a firewall do additionally? Scan port 22 in order to determine an attack?

Mazer

[anomie]

What would a firewall do additionally? Scan port 22 in order to determine an attack?

It could block subnets you specify from seeing that tcp port 22 is open at all.

[mazer]

It could block subnets you specify from seeing that tcp port 22 is open at all.

Couldn't I do that also with hosts.deny?

[anomie]

Well, tcp_wrappers does offer a similar functionality for the result you want, but it denies subnets on a different level (libwrap.so support gets compiled into the daemon you're running -- in this case sshd). A port scan will still show that tcp port 22 is open. The packet filtering provided by iptables/netfilter can prevent scanners from seeing port 22 as anything but filtered.

Does it matter? Probably not. If you were a high-profile target you might be interested in throttling connections and traffic shaping with iptables. (Then again, if you were a high-profile target you probably wouldn't be relying on a host-level firewall.)

I'm not arguing that you should make any changes. I have a server with a similar setup to what you describe: sshd running with pubkey authentication only (and some other tweaks to harden the config) and no packet filtering on that port.