Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
I've been using Shorewall as a firewall for my Slackware install (as a reflex I installed it). After a while, I realized why use a firewall? Let me explain...
Firewalls (as I understand) are basically a front for iptable rules. I don't understand why a port needs to be blocked if there is nothing running on that port? If no services are running on the computer, is a firewall even needed?
What about using iptables and basically saying "deny everything, except let X, Y, Z service through". In the end, do firewalls just do this?
Any ideas / discussion would be great on this, as over time I've been wondering more and more...
Since there is no spyware for Linux I don't think it's usefull to make iptables application based. There are some projects about this though.
Opening some ports and close the rest is a normal practice. If you open port 80 the security on that port depends upon how secure Apache or another webserver is.
With hosts.allow and hosts.deny you can configure services as well. This should be secure already. I do have a tight firewall, but I use a NAT router, so I needed iptables anyway.
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
iptables is a firewall (sort of). Programs like shorewall and Guarddog are frontends that create iptables rules.
It is a good idea to have a correctly setup firewall, because that just adds an extra level of security. As I understand it, you don't need to have an application listening to a port for that port to be vulnerable. You are right that it is best not to have unnesesary services running. For example, why run Apache if you don't want a web server.
I run a separate firewall (smoothwall) router box. That way I can have interal ports open, file sharing, ssh, etc, but have it all firewalled to the internet. I just open the ports I actually need open...
You usually do have to have an appliction running on a port for it to be vulnerable, although its possible if there was a kernel vulnerability that you'd be exposed. The reason you always run a firewall is that its far easier and more reliable to just have shorewall configure iptables to say 'deny all incoming connections from the net' than it is to strip your machine down to almost nothing running in order to make sure no ports are being listened on.
You can run no services and have nothing listening on your service ports, thereby keeping them closed. Ok, that's one approach. Personally, the firewall does not take up much in the way of resources, and humans are known to err occasionally, so I run a firewall.
Originally posted by Moloko With hosts.allow and hosts.deny you can configure services as well. This should be secure already.
Take note that not all applications are compiled or configured by default to use hosts.allow and deny and won't always work. A firewall in place is the better option or action to take to fully secure your system.
Hmm, some interesting replies, the kernel vulnerabilities was particularily interesting, as I didn't know a non-listening and non-closed port could still be a security issue.
The main thing I am trying to see is if firewalls are just used...sort of as a reflex, or "just because", or "just in case", especially if the person has moved from Windows to Linux, where not having a firewall would be unthinkable.
Using Shorewall (or another firewall) wasn't an issue of resources, it was just if it was truly needed or if everoyne just did it because everyone else was. It's too bad that a simple iptables scheme wouldn't be as effective.
Thanks for the answers everyone, keep the opinions and ideas coming!
Im not an expert, at all and please everyone point out any errors in my thinking here...
From what I know, a lot of hackers (really 'crackers') out there today use automated searches, or 'scans' to identify potentially vulnerable machines. These are very, very simple 'sweeps' of blocks of IP addresses, and yours may be one of them at any given moment. The feedback from these scans are recorded and the cracker will then analyze this data and discard or keep any particular address for later attacking based on the revealed vulnerabilities.
Now, these types of scans (read up on nmap) will return different results based upon the type of scan, and the state of the machine using the IP address being scanned. For example, if you are running an IPTables-based firewall set to 'drop' all packets from the outside, then the cracker's scan wont even know that there's a computer living at that address. Very likely, the cracker will not be interested in this particular IP address and will discard it. However, a computer that is not firewalled may respond in predictable ways to certain types of scans even if there are no services running on the targeted machine. This type of return data may not appear very promising to a cracker, but he has gained at least the knowledge that there's something there - ie. a live computer. So perhaps this simple clue will be enough for the cracker to store your ip address for later, more sophisticate eavesdropping. And perhaps in the meantime you've started, then forgot to stop an FTP server. See?
Really though, it is so easy to run a simple firewall on a desktop machine - shame on anyone who isn't doing so and gets hacked.
Linux kicks all azz. I use shorewall just for safety's sake because while there is no spyware/adware and very very few viruses for linux, I still like to have that one extra precaution so I installed clam antivirus and turned off every port on shorewall. I can still connect to anything I want but the only service that will allow incoming connections is bit torrent. It just makes my linux box kick even more butt.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.