Originally Posted by marozsas
Is AppArmor an extra security layer that protects individual services based in what is the normal and expected behavior, right ?
It is an extra security layer and my interpretation is more that it is to protect you from the services/applications based on their expected/allowed behaviour. So, if, say, your word processor was compromised by downloading a file with nasty things in it (or someone squirted nasty data at your DNS server), the app would be sandboxed to stop the breach spreading out further, limiting the 'bad guys' ability to privilege escalate a small breach into a big one.
It should be
easier to get to grips with and configure than SELinux.
is an example of what I found when I did a google search on "app armor tutorial" and you certainly read one or more of those.
Is netfilter, the basic packet filter on Ubuntu 9.10 ?
I founded iptables and I installed firestarter, but looks like firestarter is protecting nothing from outside, based on this iptables -L output:
This is right ? The default policy is DROP but there is a rule that allows anything from anywhere ??? This make any sense ?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
And finally, what is ufw and why it is disabled in all runlevels ?
Is ufw a replacement for iptables, or firestarter or it is a completely new animal ?
Should I use ufw instead firestarter ?
The various different things listed as 'firewalls' on Linux are almost always 'easy to use' front ends to iptables. So, if your iptables ruleset is 'bad', it doesn't matter what tool you have created the ruleset with, its a bad ruleset. Additionally, with one of the GUI things, you don't have to keep running the GUI part; you only have to run it once to generate the ruleset and from then on, its just a matter of running the ruleset (just the same way as you could/should/would run the ruleset if it was generated from, eg, a bash script...although you could
regenerate on, eg, every boot, if you thought the various IP adresses would change).
Oh, and on a security paranoia front (security paranoia - good, where normal paranoia = bad, arguably), you might choose to run the iptables rule generator bit on a different machine from the firewall machine, so that if your firewall box does get compromised you don't get your rule generation compromised.
thanks for the enlightenment,
e16 or e17?