Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But with a policy of "ACCEPT 0 packets" of INPUT I can't see how this can possibly work?? Can it?
It's not saying "ACCEPT zero packets". It's saying "the policy is set to ACCEPT, and it has been enforced on zero packets". In your case, with the rules you implemented, no packet should ever run into the policy for that chain, since the last rule in the chain matches any packet and sends it to DROP. An alternative to the way you have it set would be to eliminate the last rule and change the policy to DROP. That can, however, be more risky for you since you might flush the chain without resetting the policy and thus lock yourself out of your own box. So the way you have it now is just fine.
Quote:
As an aside, I think this is one area of the Ubuntu distro that Team Ubuntu needs to look into urgently if they hope to lure away more Windoze users. Iptables may certainly be a powerful, versatile and wonderfully precise way of tailoring your firewall needs, but user-friendly it CERTAINLY AINT!
I'm aware of add-ons like lokkit and ufw that simplify firewall rule-setting, but they're still crude and in need of further refinement - and they don't come with the distro so you have to download them, which is kinda risky with no operational firewall in the first place!!
There's many more GUI front-ends out there designed specifically for making this user friendly. I suggest you have a look and see cuz you might find something that suits your needs, and there might be a package for it readily available in the Ubuntu repositories.
There's many more GUI front-ends out there designed specifically for making this user friendly. I suggest you have a look and see cuz you might find something that suits your needs, and there might be a package for it readily available in the Ubuntu repositories.
I would suggest Team Ubuntu check out how Team Knoppix have approached the problem. Knoppix comes with a highly configurable firewall built-in from the get-go. What's more it's suitable for beginners and experts alike to configure; one can go into as much detail as one is comfortable with. I wouldn't be using Ubuntu at all but for the fact that its bang-up-to-date kernel sees and fires up my usb stick modem with zero messing around. Ubuntu's a thoroughly good distro, but none of them are perfect, and this issue of firewalling is where Ubuntu badly falls down, IMHO.
THanks for your comments.
Don't get me wrong-- a firewall is a very useful piece of technology to have between you and the internet. That being said a firewall on the local machine is largely moot if you're already NAT'd like most people on broadband. If you get a direct routeable internet ip on your computer it's considerably more useful of course.
Sorry I must have missed this first time around. I'm not NAT'd as there's no internal network. I'm just a dabbler at home with seperate boxes running 3 totally seperate broadband lines (for security reasons). From my first post:
"The box is a stand-alone desktop, single-user, running Ubuntu 8.1; no server requirements; no SSH etc."
Sorry I must have missed this first time around. I'm not NAT'd as there's no internal network. I'm just a dabbler at home with seperate boxes running 3 totally seperate broadband lines (for security reasons). From my first post:
"The box is a stand-alone desktop, single-user, running Ubuntu 8.1; no server requirements; no SSH etc."
CC.
If you have no outward facing services a firewall is pretty useless (as far as "protecting" you from something goes at least.) unless you want to do something like drop icmp.
If you're not running ssh, ftp, telnet, or other daemons that are listening on outside ports... there's nothing anyone can do to get access to your system.
Out of curiosity, can you give us the output of a netstat -pan?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.