Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My NAT router (Netgear WGR614) has a SPI firewall and blocks ICMP ping requests, and all ports - except for those I open myself - are stealthed according to Nmap and miscellaneous security websites. Is it a waste to install a firewall on my FreeBSD server also (the only forwarded ports are SSH, FTP and HTTP)?
Doing firewall at the server level gives you an additional layer of protection. If they somehow break through the router or something happens that resets it to defaults having the additional firewall will slow them down or stop them. Exploits found for your router are not likely to be exactly the same as exploits found for iptables.
Security is all about "hardening" the target. The harder it is to hack you (or break into your house) the more likely it is they'll move on to a softer target. So if you have a lock on your door and a thief breaks in he'll have another challenge if he finds all your valuables are in an embedded safe with a combination lock.
Distribution: BeOS, BSD, Caldera, CTOS, Debian, LFS, Mac, Mandrake, Red Hat, Slackware, Solaris, SuSE
Posts: 1,761
Rep:
Having a firewall running on the client, as well as on the router, is not a bad idea, it's called Defense in Depth. If you trust the router, and yours is the only host on the subnet, then you don't need the client firewall.
I run a firewall on my desktop, but open some ports to the LAN. Those ports are blocked at the network firewall (actually, it drops all and only allows some... only SSH, actually).
I do this just in case my firewall is compromised (which would, admittedly, give the attacker access to password-protected SMB, a couple of NFS shares (i.e., deb repository), and cupsd).
I only use IpTables, my router is configured to port-forward everything to my (Linux) Pc's static Ip, but the most hazardous traffic is filtered out by MY OWN ISP, can you believe that?, i only receive some ocasional alerts due to the P2P like setup
but the most hazardous traffic is filtered out by MY OWN ISP, can you believe that?, i only receive some ocasional alerts due to the P2P like setup
It is not unknown for ISPs to do their own filtering. I know that Cox filters traffic. I also know that Verizon does not appear to filter traffic before it reaches my LAN.
I have my gateway filtering all inbound and I allow all outbound (not my choice, as the gateway device won't allow me to filter outbound), yet I also use Snort in a manner that I can see all outbound traffic. I also monitor internal traffic. Since my gateway won't let me get granular in applying outbound filters, I use Snort to glimpse traffic so that I know when a server is getting hammered or may be infected and propagating outbound.
I also have poked holes in my gateway, allowing port 22 and port 3306 to one machine, yet I also have a firewall on the machine that serves port 22 and 3306 traffic. I'm glad that I do, as I've found that there's an infected machine out in the wild that has begun hammering my MySQL server. Since I'm only allowing certain IPs to connect on ports 22 and 3306, I'm OK, but it's highly irritating to see my logs bulk up because of one persistant IP.
So, I agree...security-in-depth (or layered security) is the better approach, especially if you're using a gateway router that isn't as configurable as a *nix firewall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.