This is a typical newbie question that I tried to find the answer to by Googling for it. Could not find a definitive answer so hope I'll get one by asking directly here!

The question is simple: Do I need firewall software when running desktop Linux?

The top name produced from my Googling was "Firestarter", but this also produced claims that all it did was configure the (already existing) iptables contained in the kernel. So basically it seems Linux already has a built-in firewall; so the problems Windows users have do not exist (in the same way) for Linux home desktop users. Unless I'm running a big network or servers or something. All Linux firewall does apparently is allow you to tweak the firewall Linux has by default.

Can anyone confirm that this is the case?

(I should point out here that I wouldn't know an IP table from a picnic table, so no overly-technical answers please!)

Here's a newbie-style answer from my perspective...

Yes, Linux has a built-in firewall in its iptables database. All a firewall does is two things: it blocks things from certain addresses on the internet, and to certain ports on your computer. IPtables lets you set up your blacklist, change the ports they can send stuff to.

This is an extremely non-technical answer. This is what I've gathered from watching a video on Red Hat's website that gives you a taste of how IPtables work. https://www.redhat.com/v/training/ogg/RH253_REV3.ogg

If someone else could expand on my answer, I'd really find it helpful, too. This is something I'm curious about too.

An application like Firestarter is a graphical 'frontend' to iptables. iptables itself is very powerful, and quite complex. Firestarter attempts to make configuration and management of your iptables firewall easier.

iptables is provided with most (all?) Linux distributions. Though that doesn't necessarily mean there is a firewall in place. A basic firewall may have been setup when the system was installed, or not. To see, you can type the follow command at a shell prompt:

If you see output like this:

It means there aren't any active firewall rules. Either no rules have been configured or iptables was not started.

Whether you need a firewall is your decision. If your box is connected directly to the Internet (e.g. DSL, cable) then it is highly recommended to have one. If you're on a private network that is connected to the Internet through a gateway then it may be less of an issue -- though still worth considering.

This is probably the best link I've seen on iptables. You'll realize pretty quickly why frontends like firestarter exist.

http://iptables-tutorial.frozentux.net/

Okay thanks. I see this iptables thing is a bit complicated, so I've downloaded Firestarter and run through the default "startup" options. I will have a good read through the manual at http://www.fs-security.com/docs.php and hopefully that will tell me all I need to know about it.

Thanks for the info.

The firewall software is most useful if you're setting up other machines behind the firewall. If you have a single machine which you want to protect, a firewall is almost pointless in Linux. Your machine can be attacked via 'ports' which are providing a service (http, ssh, database, etc). If you don't run such services or the services are configured appropriately, then the firewall rules are pointless.

Linux firewalls are implemented via the kernel's iptables rules; the rules can be set by the user to range from "allow anything" to "allow nothing".

The reason "firewall" software became so popular on WinDuhs (and honestly, that software doesn't make for a good firewall design anyway - crappy software to try to cover up even crappier software), is that winduhs runs numerous unnecessary services (which MS have made essential to their product through bad design) and many of these services are easily accessed from the net (for some period I believe all services were remotely accessible by default).

The purpose of a genuine firewall is to help protect the computers on one side of the firewall (note, plural - not a single computer) from the big bad world on the other side. However, if you run an internet service, let's say you run Apache to provide http - that port has to accept requests from the big bad world, so even a real firewall will have to let those requests through (although the firewall can block requests to any LAN side machine which is not running Apache).

Confused yet? Short story: for the most part only ports open to provide services can be attacked. (There was an attack which simply knocked out the ethernet interface, but that seems to be all the attack could do - couldn't take control of the machine.) So no services listening on the ethernet interface means no way to attack the computer with the aid of portscans etc. However, the computer can still be attacked via numerous other means while you're browsing the web - and I don't think a firewall can help with that problem. So - a firewall on a single machine is really of minimal value, especially if services are configured appropriately - and a firewall will not protect you from any number of browser-based attacks.

While I do agree in principle with most of what you say, I wouldn't discourage a Linux beginner from learning how to configure and manage a firewall on the box. It's valuable knowledge

As I'm sure you know, iptables can do much more than simply allow or deny access to particular ports. We can do things like allow selective access to a port, or rate-limit connections. A simple example might be allowing access to port 22 for SSH, but only from one designated remote IP. Yes, the SSH daemon can be configured for selective access, but the firewall rule provides an additional layer of protection.

I don't like using iptables it's hard to configure. I prefer using shorewall it is easier and simpler than iptables, but as powerfull as iptables, maybe better because there are many feature in it.
see http://shorewall.net

Actually, Shorewall is another frontend to iptables. See http://www.shorewall.net/ (follow the "What is Shorewall?" link).

You definitely like it, even if you didn't know

iptables is about the one and only firewall for linux. The rest are just frontends or premade scripts for iptables. There's absolutely no need for another one either. It can do anything. It's also useful to do NATing, something that you will definitely need if you want to connect many boxes to the internet via the same router/modem simultaneously.

>>>... a firewall is almost pointless in Linux.

Right, that's the line I'm focusing on then.

In reality, I'm more worried about that IP address vulnerability that was revealed for all browsers (regardless of platform) a few months ago. If I download and install Firefox 3 (the latest Linux build on their website is 3.0.3 - that's not the dreaded beta version I've read so much bad press about, is it?), will that vulnerability then be closed?

What IP address vulnerability is that? The latest fad I can think of is "clickjacking" and a firewall can't do anything about that.

No... I don't think that was it. This was a vulnerability that first hit the news earlier on this year. It was something to do with malicious hijacking of a web address. Not sure if it had something to do with typing it into the address line...

But I looked up "clickjacking" on Google, and now I'm even more worried. So thanks for that...!

Do you mean the DNS vulnerability?

Ah yes - that was it. Is it likely to be fixed in Firefox 3?