Hi all,
I've been using Shorewall as a firewall for my Slackware install (as a reflex I installed it). After a while, I realized why use a firewall? Let me explain...
Firewalls (as I understand) are basically a front for iptable rules. I don't understand why a port needs to be blocked if there is nothing running on that port? If no services are running on the computer, is a firewall even needed?
What about using iptables and basically saying "deny everything, except let X, Y, Z service through". In the end, do firewalls just do this?
Any ideas / discussion would be great on this, as over time I've been wondering more and more...

Since there is no spyware for Linux I don't think it's usefull to make iptables application based. There are some projects about this though.

Opening some ports and close the rest is a normal practice. If you open port 80 the security on that port depends upon how secure Apache or another webserver is.

With hosts.allow and hosts.deny you can configure services as well. This should be secure already. I do have a tight firewall, but I use a NAT router, so I needed iptables anyway.

iptables is a firewall (sort of). Programs like shorewall and Guarddog are frontends that create iptables rules.

It is a good idea to have a correctly setup firewall, because that just adds an extra level of security. As I understand it, you don't need to have an application listening to a port for that port to be vulnerable. You are right that it is best not to have unnesesary services running. For example, why run Apache if you don't want a web server.

--Ian

I run a separate firewall (smoothwall) router box. That way I can have interal ports open, file sharing, ssh, etc, but have it all firewalled to the internet. I just open the ports I actually need open...

You usually do have to have an appliction running on a port for it to be vulnerable, although its possible if there was a kernel vulnerability that you'd be exposed. The reason you always run a firewall is that its far easier and more reliable to just have shorewall configure iptables to say 'deny all incoming connections from the net' than it is to strip your machine down to almost nothing running in order to make sure no ports are being listened on.

Yes, iptables is a packet filtering firewall.

You can run no services and have nothing listening on your service ports, thereby keeping them closed. Ok, that's one approach. Personally, the firewall does not take up much in the way of resources, and humans are known to err occasionally, so I run a firewall.

Take note that not all applications are compiled or configured by default to use hosts.allow and deny and won't always work. A firewall in place is the better option or action to take to fully secure your system.

Hmm, some interesting replies, the kernel vulnerabilities was particularily interesting, as I didn't know a non-listening and non-closed port could still be a security issue.
The main thing I am trying to see is if firewalls are just used...sort of as a reflex, or "just because", or "just in case", especially if the person has moved from Windows to Linux, where not having a firewall would be unthinkable.
Using Shorewall (or another firewall) wasn't an issue of resources, it was just if it was truly needed or if everoyne just did it because everyone else was. It's too bad that a simple iptables scheme wouldn't be as effective.
Thanks for the answers everyone, keep the opinions and ideas coming!

Another reason to use a firewall....

Im not an expert, at all and please everyone point out any errors in my thinking here...

From what I know, a lot of hackers (really 'crackers') out there today use automated searches, or 'scans' to identify potentially vulnerable machines. These are very, very simple 'sweeps' of blocks of IP addresses, and yours may be one of them at any given moment. The feedback from these scans are recorded and the cracker will then analyze this data and discard or keep any particular address for later attacking based on the revealed vulnerabilities.

Now, these types of scans (read up on nmap) will return different results based upon the type of scan, and the state of the machine using the IP address being scanned. For example, if you are running an IPTables-based firewall set to 'drop' all packets from the outside, then the cracker's scan wont even know that there's a computer living at that address. Very likely, the cracker will not be interested in this particular IP address and will discard it. However, a computer that is not firewalled may respond in predictable ways to certain types of scans even if there are no services running on the targeted machine. This type of return data may not appear very promising to a cracker, but he has gained at least the knowledge that there's something there - ie. a live computer. So perhaps this simple clue will be enough for the cracker to store your ip address for later, more sophisticate eavesdropping. And perhaps in the meantime you've started, then forgot to stop an FTP server. See?

Really though, it is so easy to run a simple firewall on a desktop machine - shame on anyone who isn't doing so and gets hacked.

Linux kicks all azz. I use shorewall just for safety's sake because while there is no spyware/adware and very very few viruses for linux, I still like to have that one extra precaution so I installed clam antivirus and turned off every port on shorewall. I can still connect to anything I want but the only service that will allow incoming connections is bit torrent. It just makes my linux box kick even more butt.