LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-18-2005, 11:29 AM   #76
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116

I fail to see your point. Either you do not wish for some programs to start outbound connections, in which case configure them not to, or you do wish them to start connections in which case you'd set your firewall to allow them anyway.
 
Old 04-18-2005, 01:13 PM   #77
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by Proud
I fail to see your point. Either you do not wish for some programs to start outbound connections, in which case configure them not to
without a firewall, how would you configure network access for a (possibly evil) program that isn't currently installed on your system??

Quote:
or you do wish them to start connections in which case you'd set your firewall to allow them anyway
yes, but ONLY them... by not using the firewall you are essentially allowing everything to go through, whether or not it's traffic that you consider neccesary for your box's purpose...

without a firewall you have no centralized way of limiting network access for programs, and no way at all to limit ones that aren't installed on your system at the current time... this includes SPYWARE and TROJANS...

here's some simple/stupid examples of what i mean:

INCOMING: let's say you have apache and vsftpd running on your box... so using your method, you'd make sure that those two are the only daemons running... you scan your box and you make sure every port except 21/tcp and 80/tcp is closed... okay... so here comes regular user joe and he logs-into the box to work, but he's bored (or whatever) and so with a couple mouse clicks he installs a proxy server on your box (either on purpose or by accident - that's beside the point) and has it listening on 3128/tcp... see how easy that was?? he didn't have to do anything else (not even become root) and HE had a daemon listening on YOUR box (>1024/tcp)... so now you have your firewall-less box not only doing web and ftp, but also doing who knows what kinda proxying for who knows who... the bandwidth-stealing possibilities for the script kiddies will be endless... in no time your box could be serving-up kiddie pr0n to the web and hosting a mirror for some script kiddie's customized knoppix cd... if you would have had a simple firewall (allowing only 80/tcp and 21/tcp), something as simple as:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 80 -m state --state NEW -j ACCEPT
then even though your web and ftp servers would be able to listen on the network, user joe wouldn't have been able to make his proxy or trojan or whatever listen on the network (unless he would find a way to gain superuser powers and alter the firewall's rules)...

OUTGOING: let's say it's the box you installed for grandma... she just uses it (for example) to surf webmd.com and to check hotmail.com... the thing is one day she gets an evil executable in her mailbox... of course grandma doesn't even know what an executable is... well she clicks the bastard and guess what, an ftp session is initiated with some script kiddie's ftp server and all of grandma's documents are uploaded to it... so now grandma's privacy has been completely obliterated - all because you didn't wanna install a firewall for her... of course this is obvioulsy just a ridiculous example (just enough to make a point), but since she only used webmd.com and hotmail.com you could have easily used a firewall to restrict outgoing traffic to 80/tcp and 443/tcp, which would have prevented the evil executable from starting an ftp session and sending grandma's docs over the internet:
Code:
iptables -P OUPUT DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT
or if was a NAT firewall on a LAN it might look something like:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 443 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -o eth0 -j MASQUERADE
with those simple rules above i could also give a port-scan example... like, without a firewall any user could start port-scanning someone's server from your IP... they could sit there and portscan nsa.gov all day without your consent, for example... and the firewall logs at nsa.gov will show YOUR IP as the source of the scans... so when you come back home from work you find the men in black taking your computer away and your son/daughter is like "ummm... sorry dad..."... if you would have used the simple/stupid firewall rules above your son/daughter's port-scan would have never worked - even though they would still have been able to surf the web in peace...


Last edited by win32sux; 04-18-2005 at 08:25 PM.
 
Old 04-18-2005, 01:55 PM   #78
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
My point was regards a desktop linux box, and so you see the problem comes down to users doing stupid things like running malicious email attachments that target linux(who gets these?), or deliberately running e.g. a proxy server. However as you state then a normal firewall should prevent such activites. But normally on a desktop linux box if you trust your currently installed software and keep it patched you have a severly reduced need for the firewall.
 
Old 04-18-2005, 02:13 PM   #79
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by Proud
My point was regards a desktop linux box, and so you see the problem comes down to users doing stupid things like running malicious email attachments that target linux(who gets these?), or deliberately running e.g. a proxy server.
in this case i don't see it that way... i see the problem comes down to system adminstrators doing very stupid things (like not using a firewall) and hence not having that extra layer of security when the users do their stupid things...

by not using a firewall the sysadmin is basically saying: "hey go ahead and make any daemon you want listen on a non-root port, no problem"... or even worse: "go ahead and send any type of packets you want out to the external network, i don't care"...
Quote:
But normally on a desktop linux box if you trust your currently installed software and keep it patched you have a severly reduced need for the firewall.
where on earth did you get THAT idea???... using trusted software and keeping your software updated has absoloutely nothing to do with configuring network access... maybe you could explain how the situation in my hypothetical examples would have been avoided by having "trusted" and "patched" software installed without a firewall in place, cuz AFAIK: IT WOULDN'T HAVE...


Last edited by win32sux; 04-18-2005 at 02:25 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Which services are unnecessary? revenant Linux - Security 4 03-28-2004 11:43 PM
Kernel 2.6 and Firewall's ghostwalker Linux - Security 4 01-26-2004 03:36 AM
unnecessary user accounts linen0ise Slackware 2 09-19-2003 09:27 AM
Firewall's and MSBlast qwijibow Linux - Security 15 08-26-2003 09:54 PM
Firewall's proxy settings. silverstriip Linux - Networking 1 08-20-2003 02:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration