Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was just thinking. If in theory you turn off all your services that you don't need and maby for example just leave port 80 open as you want to serve some web pages.
Assuming you don't want to stop people getting out. What difference would it make having or not having a firewall?
I mean wether you have the firewall or not if there is a security problem in your program serving pages on 80 you could be hacked right??
Using a firewall is just one of the things you need to do if you want to be secure (as secure as possible, 100% security is an illusion.......).
But even if you serve webpages with (badly written) cgi/php code, you do limit the possibilities of breaking in to your box. A potentiel 'hacker' can only mis-use the cgi/php code (port 80), all other access is denied. I do agree that if this 'whole' is found, 'they' will probably try to use it to gain access to your box.
Security is a concept (firewall, good coding, regularly check/install security patches etc), not a one step solution (install a firewall. Done.)
The way I am thinking about it its like a blanket over you system and you just choose what can come in and go out for example if you have a service running (that you donīt know about) you can stop it from having access if you just setup your file wall to deny everything except specifically what you want out.
I can how ever understand that a firewall in theory (my crazy theory) would be much more handy for example if you wanted to control access of things going out, maby from local users that you didnīt trust. You could have services running perhaps recieving and responding to requests but no making un-solicited ones???
Also I just had a thought firewalls can be īlearningī to prevent DOS attacks as well, can this not be done without a firewall?
The way I am thinking about it its like a blanket over you system and you just choose what can come in and go out for example if you have a service running (that you donīt know about) you can stop it from having access if you just setup your file wall to deny everything except specifically what you want out.
If you mean by blanket an extra layer of security, then you are correct.
I do believe you focus (too much) on the 'blocking outgoing' issue. If you (and maybe a few others in a larger environment) are the admin of a few boxes, you should now what's running on your machines and make sure that certain services aren't running (even better: not being installed at all). If, on the other hand, somebody is able to start a certain service, he/she has probably become root and is able to punch wholes in your firewall anyway...............
You are the upper being on those boxes. With that comes the responsibility to keep it safe and sound, even if it's only you that uses these machines.
Ofcourse you do need to think about what goes to the outside and what not. Telnet is such a service. Take this scenario: The local network is allowed to use telnet (client/server installed, up and running), no telnet (in and out) is allowed from/to the outside world. I'm not going to explain how to do this, this being philosophical ( ) but I hope you get the point.
Starting with a 'deny everything' firewall config and opening, one by one, only those things you need is the best way to approach setting up a firewall.
Quote:
I can how ever understand that a firewall in theory (my crazy theory) would be much more handy for example if you wanted to control access of things going out, maby from local users that you didnīt trust. You could have services running perhaps recieving and responding to requests but no making un-solicited ones???
If you have to allow people you don't trust on your machine(s) you could do a lot of things to make sure that this user can only do what he/she needs to do. Setting up a firewall for this is not the way to go.
Quote:
Also I just had a thought firewalls can be īlearningī to prevent DOS attacks as well, can this not be done without a firewall?
Don't know, guess that it is possible. But why? You have a great tool (the firewall and some kernel settings) to take care of this.
Quote:
Am I on the right track??
Not on all points, but that's probably lack of knowledge. And gathering knowledge is why the internet was invented
On an enterprise level, jimda, you're thinking is not wrong, but you are not the first person to think of it . Many firewall and IDS programs have the ability to examine and control outgoing packets. There are also "learning" firewalls (I think it's Checkpoint that I've seen the demo of), but they are akind of a pain and leave you with less an understanding of what it is they are doing. It is *very* important in many corporate settings (and other settings I can imagine) that you would want to know exactly what was going out from behind your walls. Often the outgoing is more monitored (with Snort or some such) than controlled, but of course it's possible to do whatever you want.
Setting up a network to be hard on the outside and soft on the inside is a poor way to manage it, and there's no reason even small networks shouldn't be set up as securely as possible. After all, if you have time, how can you be too secure? Never trust others on machines you manage. It's too easy for them to make mischief, even when their intentions are not malicious.
At the least, a firewall adds a layer of logging to connections into your box. Reflexive securrity is available through various firewall and IDS products (see Cisco's bumph on self-defending network, etc).
Assuming you only want to serve webpages, so you turn off everything else, and disable youre firewall. Then you're hit by a traditional DoS. Now with or without a firewall, on a home setup, you are likely to see your machine fall over. But if you have a firewall, at least you can block that IP addr.
Then you want to use Samba, so you turn that on as well. So that's two ports open on an unfirewalled box, open to the entire internet. The main advantage of a firewall then, as I see it, is that you can limit who has visibility of your services. And then there's cool things like NAT.. All these points become even more important in a campus / corporate network.
I can see your point, but in my opinion, it doesn't hurt to be a bit over-protective of your network.
First of all, thanks you guys for all your replies
druuna, I turn off all the services that I donīt use basically everything like ftp samba ssh, the thing that made me start thinking about all of this is that I want to setup a web server
Also I was wondering if I use samba or similar over my computers locally to share files is there anyway that people could access them over the internet even though I have a router (smoothwall) from your example I would guess that I should specifically not let in or out from smoothwall?
Thanks for those links I will have a read
awdac, I understand what your saying... its a good idea to have the network as hard as possible all the way though, that way if for example they make their way past the firewall you make it as difficult as possible for damage to be done on the internal network. I have snort running on smoothwall, which is interesting as I can see whats going on and whos trying to attach me
cleidh_mor, thats a good point, that firewalls are good for hiding open ports. I am using nat at the moment so I can share internet between computers so I can surf while my girlfriend does as well
Thanks again for all your info. I am not there yet but am starting to have a better idea of how firewalls work!
druuna, I turn off all the services that I donīt use basically everything like ftp samba ssh, the thing that made me start thinking about all of this is that I want to setup a web server
For normal webserving you need port 80 (if you did not change it), if you use secure http (https) too, you also need port 443.
Quote:
Also I was wondering if I use samba or similar over my computers locally to share files is there anyway that people could access them over the internet even though I have a router (smoothwall) from your example I would guess that I should specifically not let in or out from smoothwall?
It all depends on how things are set up. Some service 'bind' to all the possible ip numbers. I.e. the httpd service will listen on port 80, but does this for all the possible IP numbers. You can set it up so that httpd will only listen to port 80 on certain ip adresses/ranges (your local lan for example).
You mention samba, the configfile (smb.conf) has an option to set the host(s) that are allowed (appropriately called 'hosts allow'). Only machine(s) from this ip(range) are allowed. Samba also has an 'interfaces' entry, here you tell samba on which interface ('networkcard') it should listen.
You need to take a look at the manpages for the appropriate service to see if such an option(s) excists.
Adding the extra firewall layer does not hurt, especially if you are 'new' to this stuff and are not sure if your config files are ok. But setting up a firewall is not the easiest thing to do either......
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.