|
Why a firewall with Linux?
Dear Linux-friends,
why could it be necessary to have a firewall with Linux? It should only be necessary to protect the personal data, no? The harm to system data or installation of unwanted software should be prevented by the user concept, I think. Please give me some comments or a link to an answer already made. Thanks a lot in advance! Yours, Bernhard |
A firewall doesn't neccessary block access to personal data, it blocks access to services, ping replies, etc.
Blocking access to services should be implemented in at least 2 layers: 1st of course by the netfilter (= kernel firewall) layer, (optionally 2nd one by tcp_wrappers) and last by the application layer (binding the service to an ip address, etc). Quote:
|
Run your firewall while you do some further reading.
Good Luck. |
firewall with Linux? no...firewall everything that connects to the Internet. (no, i'm not paranoid. 'they' *are* out to get me =P )
your 'personal data' may not be what is at risk without a firewall. it is your *personal computer* that is at risk without a firewall. would you let a total stranger - a cracker - access your computer and its resources? the cracker may or may not be interested in your personal data (email and such) but the cracker would be interested in using your computer without your knowledge, without your permission, and you may get the blame for what the cracker did with your computer...your $$$, your time to fix damages/intrusions, your reputation is at risk... a firewall is a security tool. properly configured firewalls secure your computers/servers from unwanted - external and internal - usage. (i have done some reading on the subject =) ) |
In theory the user concept should work, but unfortunately it is alot easier to get unauthorized root access if you already have user access. Many of the exploits out there for linux are local exploits that use some type of elevation of priveldges. The remote exploits are much more rare (and dangerous).
On top of that, many of the services (httpd, sendmail) themselves are vulnerable to attacks. Because they often run as some type of priveledged user they are big targets for attack. Not running a firewall is really just like leaving yourself wide open and it is just a matter of time before you get 0wned. So unless you want your linux box to be a warez server or part of your local script kiddies DDOS crew, you absolutely want a firewall of some sort. |
Dear friends,
thanks a lot for your replies! Now the next step: What firewall-software would you recommend? I appreciate your answers and/or links to answers already available. Yours, Bernhard |
Quote:
General links about security can be found in this forum: http://www.linuxquestions.org/questi...threadid=45261 for newbies: http://www.linuxquestions.org/questi...threadid=62121 For me, it was useful to begin with iptables-HOWTO after that, to learn more it could be nice the iptables tutorial Regards |
re:
The troubleshoot outlook express and pst repair has prompted you a path of the Outlook Express files' storage. And now save the damaged dbx files in the safe folder, they can be useful.
|
The main purpose of a firewall is to separate the traffic that is inside from the traffic that is outside. For example, you probably don't want a user in Singapore from accessing your Windows shares (if you have any), or printing p0rn to your printers, but without a firewall that nasty-person far-away is "on your network."
A firewall is simply a filter. It gets inputs from two or more cables and decides what traffic may, and may not, pass from one cable to another. Or, it sits on the inputs to your computer and decides what traffic may pass in or out. Don't log on without one. |
Get GuardDog or Firestarter. They are both graphical frontends to IPTables, which should really be used by anyone who is new to the concept of firewalls in general and hand configured firewalling scripts in particular.
|
You could also have a look at shorewall (www.shorewall.net) as it allows you to configure iptables (and a lot of the other networking settings) using some neat and easy to edit config files. It also has some good howtos on the site to get you started. If you prefer a GUI though go with one of the ones XavierP suggested.
|
A simple router between your modem and workstation is fine.They are cheap enough these days and has a 4 port switch,web access,vpn,remote admin,etc etc.Under $80 here in the states for basic router.
As for software firewall,I dont know of many that are application based...allow/deny out there.Like windows sygate,zone alarm or outpost.Guarddog and firestarter are not like that at all,they are just iptable front ends limited to iptable rules. |
Personally I don't think that running a firewall under Linux makes sense if all ports are closed/no 'net services are running, anyways.
If iptables gets run for the pure purpose of blocking all those closed ports, it actually just adds a new possibility of attack through exploitble code. Blocking closed ports is senseless The only reason (aside of routing, logging, load balancing and other such things) for iptables under a port blocking aspect I see is in cases where you want 1. Only a certain group of IPs to access a specific daemon, or to exclude a group 2. Limit the amount of connections and/or rate 3. To block a daemon you don't want to have publically avaible, that just won't let you disable it's public port listening through the daemon's config itself. Always try checking the service's config if you want to restrict it to local usage, use iptables if the daemon offers no such options in the configuration. Also, it's better to run the firewall on a seperate box, no matter the OS. If the box gets exploited and somebody gains root privileges, iptables won't help you on the same box as it can simply be tunred off. To make a long story short: On a home box, simply turn off all listening daemons and use no firewall. On a box where you want local listening services, check their configuration. Most can be set to only listen on 127.0.0.1, also needing no firewall. In case you need routing, net logging, ip restrictions or local daemons that just won't listen only locally, use iptables...if you can, on a seperate box. |
Quote:
Isn't the reason for the firewall to close the ports? |
Quote:
|
| All times are GMT -5. The time now is 11:40 PM. |