Someone sad to me "Linux can be the most secure system of them all, but also the least secure. Everything depends on the user".

This is somewhat true and I use a firewall just to close all my ports except for SSH-port 22 out to my school.

You can play with ports and such with "iptables" (read man) and you should also check out /etc/hosts.allow and /etc/hosts.deny, they can be really handy. :)

/MezzyMeat

As of right now, I have a D-Link router hardware firewall. (Exact model is DI-604 if you are interested.) On security tests (Shields up and Symantec), the router has been pretty effective at stopping things from getting through to me. However, on the flipside, its really not good at all at checking whats coming out of the network. For instance, if someone were to hijack my computer with a trojan or attempt to steal personal information via setting up some sort of program on my computer that would relay information back to the maker of the program, all the info would most likely get past my hardware firewall. I think that I may need to set up a firewall to check keep a tab on whats flowing out of my computer as well as what is flowing in. Am I just being paranoid or does any of this sound reasonable?

hardware firewalls work because they are routers that server many machines with only one ip address. is a new unrelated and unestablished packet arives, the firewall doesnt know which machine to re-direct it to.

provided you do no have port forwarding, its unlikely anyone can get into your machine.

so.... the only way i can see some1 getting into your system...

1)trick you into viewing a website they own so they can get info on what browser you are running.
2)assuming a buffer overflow exploit exists... fine one, apply it to their site, then trick you into viewing it again.
3)the overflow expoloit virii would then need to be created without even knowing anything about what programs or servies you are running, and made to gain root access.
4)it would then need to find a way to steal your firewall password (keylogging ?) so it can setup port forwarding and open a back door.

i think this is as secure as you are going to get.
besides. if the virii got to #3, it would turn off your iptables firewall easy.

your being paranoid in my opinion.,

One side note about firewalls: They do NO good if

1 A port is open/forwarded (most likely because you need it for a useful service)

2 The service/program bound to that port is exploitable


Point is-- make sure you software is up to date!



I agree with the above statements about a hardware firewall, A hardware firewall should be your first line of defense. Your second line of defense should be a good software firewall (like iptables or sygate for windows).

Ok then....lol I'll just sit back, relax, and trust in my router firewall.

Just switched to Fedora Core 2 and enabled its firewall. So now I have two active barriers to my LinuxBox. Whohoo!

i think the quote is... "Those who do not understand unix are doomed to re-create it poorly for all eternity"

Well said...lol!

I'm using Slackware 10.0 and it doesn't seem to include a firewall like Mandrake. I also blew all my disposable cash (plus lots of non-disposable) on the new computer (one thing led to another and before I knew it...) and so I won't be buying a hardware firewall any time soon.

So, what are good free firewalls for linux. I checked out Smoothwall, but it appears that it will only turn my only machine into a dedicated hardware firewall. I'm about to try Firestarter. Are there other I should consider? Some more secure, more features?

Thanx.

Guarddog is one option/alternative :

http://www.simonzone.com/software/guarddog/

Your distribution does include a mechanism used to build firewalls. It's called iptables. Mandrake (and other 'easier' distros) have tools that make such building easier. In your case the easiest solution will be to search the forum for 'iptables scripts'. There are many examples here, for different situations. You can choose one that fits your requirements best (and probally needs some modifications) and use it in your system (what usually means just to add the script to your starting ones).

Okay, so I seem to understand now... Firestarter and Guarddog, both of which I have now tried, are GUI interfaces for iptables which is included with Slack in the first place. Okay.

I had a problem with firestarter hanging when I used ShieldsUP at GRC.com to scan my computer, thought it scored nearly perfect. I installed Guarddog and it seems to work a little better, and there's a lot more flexibility with individual protocol permissions.

??
I was wondering if program control was an issue in Linux, such as Zone Alarm in, um, windows... where individual programs are granted access to the internet, and the user is notified if a new or altered program tries to connect.
??

this is called a personal firewall, and asfar as im aware, is not available in linux.

Iptables deals only in network traffic... all it knows about traffic is whats in the IP packet... Ports, type of service, source and destination IP's, but now what porgram generated the traffic.

Wow! No one mentioned the linux hardware firewall... www.smoothwall.org. It has an extremely dedicated following. You do need an old computer, though. Check it out.

guarddog and firestarter do the same thing linux as zone alarm for windows. Both keep out unwanted traffic. Also, make sure that only the services you need are enabled, you only httpd if you running a server. Do a search here for more info.