I was just thinking. If in theory you turn off all your services that you don't need and maby for example just leave port 80 open as you want to serve some web pages.

Assuming you don't want to stop people getting out. What difference would it make having or not having a firewall?

I mean wether you have the firewall or not if there is a security problem in your program serving pages on 80 you could be hacked right??

Just trying to get my head around this...

Hi,

Using a firewall is just one of the things you need to do if you want to be secure (as secure as possible, 100% security is an illusion.......).

But even if you serve webpages with (badly written) cgi/php code, you do limit the possibilities of breaking in to your box. A potentiel 'hacker' can only mis-use the cgi/php code (port 80), all other access is denied. I do agree that if this 'whole' is found, 'they' will probably try to use it to gain access to your box.

Security is a concept (firewall, good coding, regularly check/install security patches etc), not a one step solution (install a firewall. Done.)

Hope this clears things up a bit.

Thanks for your reply

The way I am thinking about it its like a blanket over you system and you just choose what can come in and go out for example if you have a service running (that you don´t know about) you can stop it from having access if you just setup your file wall to deny everything except specifically what you want out.

I can how ever understand that a firewall in theory (my crazy theory) would be much more handy for example if you wanted to control access of things going out, maby from local users that you didn´t trust. You could have services running perhaps recieving and responding to requests but no making un-solicited ones???

Also I just had a thought firewalls can be ´learning´ to prevent DOS attacks as well, can this not be done without a firewall?

Am I on the right track??

BTW I DO have a firewall (Smoothwall)

Hi again,

If you mean by blanket an extra layer of security, then you are correct.

I do believe you focus (too much) on the 'blocking outgoing' issue. If you (and maybe a few others in a larger environment) are the admin of a few boxes, you should now what's running on your machines and make sure that certain services aren't running (even better: not being installed at all). If, on the other hand, somebody is able to start a certain service, he/she has probably become root and is able to punch wholes in your firewall anyway...............

You are the upper being on those boxes. With that comes the responsibility to keep it safe and sound, even if it's only you that uses these machines.

Ofcourse you do need to think about what goes to the outside and what not. Telnet is such a service. Take this scenario: The local network is allowed to use telnet (client/server installed, up and running), no telnet (in and out) is allowed from/to the outside world. I'm not going to explain how to do this, this being philosophical ( ) but I hope you get the point.

Starting with a 'deny everything' firewall config and opening, one by one, only those things you need is the best way to approach setting up a firewall.

If you have to allow people you don't trust on your machine(s) you could do a lot of things to make sure that this user can only do what he/she needs to do. Setting up a firewall for this is not the way to go.

Don't know, guess that it is possible. But why? You have a great tool (the firewall and some kernel settings) to take care of this.

Not on all points, but that's probably lack of knowledge. And gathering knowledge is why the internet was invented

Here are 3 links that deal with security:

Linux Administrator's Security Guide
UNIX Security Checklist v2.0
LinuxQuestions Security references

The last URL has a ton of security (and related) links.

One step done

Hope this helps.

On an enterprise level, jimda, you're thinking is not wrong, but you are not the first person to think of it . Many firewall and IDS programs have the ability to examine and control outgoing packets. There are also "learning" firewalls (I think it's Checkpoint that I've seen the demo of), but they are akind of a pain and leave you with less an understanding of what it is they are doing. It is *very* important in many corporate settings (and other settings I can imagine) that you would want to know exactly what was going out from behind your walls. Often the outgoing is more monitored (with Snort or some such) than controlled, but of course it's possible to do whatever you want.

Setting up a network to be hard on the outside and soft on the inside is a poor way to manage it, and there's no reason even small networks shouldn't be set up as securely as possible. After all, if you have time, how can you be too secure? Never trust others on machines you manage. It's too easy for them to make mischief, even when their intentions are not malicious.

Hi jimda,

At the least, a firewall adds a layer of logging to connections into your box. Reflexive securrity is available through various firewall and IDS products (see Cisco's bumph on self-defending network, etc).

Assuming you only want to serve webpages, so you turn off everything else, and disable youre firewall. Then you're hit by a traditional DoS. Now with or without a firewall, on a home setup, you are likely to see your machine fall over. But if you have a firewall, at least you can block that IP addr.

Then you want to use Samba, so you turn that on as well. So that's two ports open on an unfirewalled box, open to the entire internet. The main advantage of a firewall then, as I see it, is that you can limit who has visibility of your services. And then there's cool things like NAT.. All these points become even more important in a campus / corporate network.

I can see your point, but in my opinion, it doesn't hurt to be a bit over-protective of your network.

Cheers,
Cleidh Mor

First of all, thanks you guys for all your replies


druuna, I turn off all the services that I don´t use basically everything like ftp samba ssh, the thing that made me start thinking about all of this is that I want to setup a web server

Also I was wondering if I use samba or similar over my computers locally to share files is there anyway that people could access them over the internet even though I have a router (smoothwall) from your example I would guess that I should specifically not let in or out from smoothwall?

Thanks for those links I will have a read


awdac, I understand what your saying... its a good idea to have the network as hard as possible all the way though, that way if for example they make their way past the firewall you make it as difficult as possible for damage to be done on the internal network. I have snort running on smoothwall, which is interesting as I can see whats going on and whos trying to attach me

cleidh_mor, thats a good point, that firewalls are good for hiding open ports. I am using nat at the moment so I can share internet between computers so I can surf while my girlfriend does as well

Thanks again for all your info. I am not there yet but am starting to have a better idea of how firewalls work!

For normal webserving you need port 80 (if you did not change it), if you use secure http (https) too, you also need port 443.

It all depends on how things are set up. Some service 'bind' to all the possible ip numbers. I.e. the httpd service will listen on port 80, but does this for all the possible IP numbers. You can set it up so that httpd will only listen to port 80 on certain ip adresses/ranges (your local lan for example).

You mention samba, the configfile (smb.conf) has an option to set the host(s) that are allowed (appropriately called 'hosts allow'). Only machine(s) from this ip(range) are allowed. Samba also has an 'interfaces' entry, here you tell samba on which interface ('networkcard') it should listen.

You need to take a look at the manpages for the appropriate service to see if such an option(s) excists.

Adding the extra firewall layer does not hurt, especially if you are 'new' to this stuff and are not sure if your config files are ok. But setting up a firewall is not the easiest thing to do either......

Hope this helps even more.

Thanks for all your explainations druuna. I forgot about that part of the config file for samba

I think basically all I need to do now is actually setup a webserver and try and make it secure.

Nessus is your friend

Good Luck!