Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900
Rep:
Hi Clifford.
Some people probably do but I don't and haven't for years as it is, as far as I am aware, no longer actively supported. To me it is important that things like firewalls are supported so they can remain a viable method of protection. The projects home page suggests the project hasn't been worked on since 2007.
I have to disagree with k3tlt01. A firewall is not like an anti-virus program. It doesn't need to be constantly updated for new threats. It needs to control ports and traffic.
An rc.firewall script does not have to be updated once it is configured. It just works until you have to change it (say, to open up a new port for a different service).
Either way, iptables is doing the work. The typical Linux "firewall program" is just a frontend for iptables.
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900
Rep:
Quote:
Originally Posted by frankbell
Firestarter works just fine.
I have to disagree with k3tlt01. A firewall is not like an anti-virus program. It doesn't need to be constantly updated for new threats. It needs to control ports and traffic.
An rc.firewall script does not have to be updated once it is configured. It just works until you have to change it (say, to open up a new port for a different service).
Either way, iptables is doing the work. The typical Linux "firewall program" is just a frontend for iptables.
If the front end has security flaws in it I'd like to know quickly that is why I believe it needs continuous support. Having said that it is probably easier to learn iptables and set it up for the situation it is being used for.
If the front end has security flaws in it I'd like to know quickly...
Well, you would, but it is hard for this to happen; if the underlying iptables/netfilter is kept up-to-date, then the front end only has to write out a sensible set of iptables rules. And anyway, you would want to look through the set of rules that it writes, if only for education, wouldn't you?
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900
Rep:
Quote:
Originally Posted by salasi
Well, you would, but it is hard for this to happen; if the underlying iptables/netfilter is kept up-to-date, then the front end only has to write out a sensible set of iptables rules. And anyway, you would want to look through the set of rules that it writes, if only for education, wouldn't you?
If you look at the history of Firestarter they had to keep updating it for a reason.
All I can say is that I haven't had any problems. I've used Firestarter when it was easily available (as with Gnome distributions) and an rc.firewall script when it wasn't (Slackwere, where getting FS working was dependency hell when Pat dropped Gnome). I haven't noticed any particular difference, but, if I were compromised, I'd likely not know it.
All I can say is that I haven't had any problems. I've used Firestarter when it was easily available (as with Gnome distributions) and an rc.firewall script when it wasn't (Slackwere, where getting FS working was dependency hell when Pat dropped Gnome). I haven't noticed any particular difference, but, if I were compromised, I'd likely not know it.
Otherwise, I wouldn't be compromised.
I have been using firestarter for three days, started on the 6th. In the last two days there appear to have been about 30 ( I didn't count, just estimated) attempts to break in. The breakins seem to be to the same IP, 75.182.32.244 & have varied from TCP to UDP to ICMP protocol and have been, unknown, SSH, DHCP, HTTP service. the source was different on each of them. Most of them were on 7th. I don't know what this means, but assume I am being protected. No? I'm a newbie with Linux but used firewall in Win XP, I'd have been a fool not to do so. As far as I can remember, I never got an update on the firewall in the ten or so years I ran one, although I got daily ones on my AVG antivirus. Any way, thats my input for what its worth.
Does this help anyone?
Michael
As implied in other posts above, firestarter is not the actual firewall. It basically helps to create (automagically) a set of rules for iptables. Worked well for me.
I have been using firestarter for three days, started on the 6th. In the last two days there appear to have been about 30 ( I didn't count, just estimated) attempts to break in. The breakins seem to be to the same IP, 75.182.32.244 & have varied from TCP to UDP to ICMP protocol and have been, unknown, SSH, DHCP, HTTP service. the source was different on each of them. Most of them were on 7th. I don't know what this means, but assume I am being protected.
This is 'thread drift', but it is an important point; it is not safe to assume that you are protected just because you have a firewall. If you have defined a ruleset that has blocked these ports, then these ports are 'safe' from this attack; if you have a ruleset that doesn't block these ports, then the firewall isn't doing anything to protect you, and these ports are no safer than they were without the firewall. *
Note that if the firewall doesn't do anything to block off a particular port, you are down to whatever protection you have from other means. To take ssh as a frequently-attacked example, if you are using passwordless, a non-standard port and don't allow root logins (one possible combination out of several that could be plausible for offering protection...see here for more details) you are probably pretty safe. As, of course, you would be if nothing listened on the port that was attacked, although 'belt and braces' would be nicer.
If, however, you've have ssh configured on the default port, it uses an ordinary (not massively strong) password, you allow root logins, and don't do frequent reviews of your logfiles then it probably just a matter of time before someone gets in as root. They then 'pwn' your box.
(I don't now enough about 'all' distributions, but while 'the default' is probably not to enable ssh, if you do ask for ssh, 'the default' (on average, across the mass of distributions that are out there) is not to configure ssh in the most secure configuration. This is not ideal, but is the current reality.)
Note that this isn't a bug in the firewall program; you've got to decide what you want to do about, in this example, ssh. For many people, not using (and therefore not having it available) ssh is a good security measure; for others, ssh is a necessity, and therefore they have to choose what measures they think are adequate to make it safe. The firewall does not make these decisions for you.
(* I've taken the liberty of slightly oversimplifying the situation, here. Oversimplifications are dangerous, especially in security, but the point is largely correct. However, in the case that you are using something like denyhosts or fail2ban, you might have protection from 'blacklisting' persistent offenders without blocking off a specific port that is under attack. I get the impression that you would have mentioned it, if that is what you are doing, though.)
If you want to take this further (and it sounds like it might be a good idea, unless you know that you are already safe), it might be worthwhile to let it have its own thread, rather than hijacking someone else's thread for the purpose. This would make it more likely to get appropriate levels of attention.
as far as I am aware, no longer actively supported. To me it is important that things like firewalls are supported so they can remain a viable method of protection. The projects home page suggests the project hasn't been worked on since 2007.
Looking at the site, it looks as if the documentation had an update of some kind late in 2010, so it looks as if it still gets some level of attention, even if the program itself hasn't been updated for quite a while.
This is 'thread drift', but it is an important point; it is not safe to assume that you are protected just because you have a firewall. If you have defined a ruleset that has blocked these ports, then these ports are 'safe' from this attack; if you have a ruleset that doesn't block these ports, then the firewall isn't doing anything to protect you, and these ports are no safer than they were without the firewall. *
Salasi, I wasn't trying to change the thread, just pointing out that Firestarter seemed to be working for me. I realize I'm ignorant about firewalls, Just happy no one is getting in my system. Once I have some more linux under my belt I'll try to learn more about firewalls. I installed Firestarter because an article I read suggested that a. you should have a firewall & b. Firestarter was a good choice. Don't remember who it was, but I thought it was someone with some expertise. Thanks for what you had to say.
Michael
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900
Rep:
I realise people don't like my opinion on this matter and that is fine by me. I do think however, and I know saying this will get me another black mark in this thread, if you are going to say my comment is unhelpful maybe you could enlighten me as to why it is so.
@mikeb380, if you are using firestarter with Ubuntu thats up to you but there are better options in gui front ends. You could try Gufw which is a gui for UFW which is Uncomplicated FireWall. It is supported, not just with documentation. Writing a new document is fine but documents are not the target of the criminal mind, getting access to the computer is so the actual firewall, not the documentation to it, needs to be as spot on as possible.
Firestarter has not been changed since January 30 2005 (this information comes from its own homepage and sourceforge). I find it hard to believe that any program is that good that it needs no further changes in over 6 years.
Uh, no. I thought that I was in danger of causing the thread to drift, but:
Some people have excessive expectations of what a firewall does, and are then gobsmacked when it doesn't meet their barely-thought-out expectations. I don't know if you are one of them, but there is a danger in thinking "I have a firewall, any config, and therefore I am safe."
In particular, Windows users often have odd expectations that a firewall will perform some non-firewall functions.
Whatever front end you use, its just a graphical utility that some people find handy to create a set of firewall (in this case iptables/netfilter rules). Some rulesets are more paranoid/protective than others.
If you know that there is a specific threat (and, apparently, you do), and you are relying on the firewall for protection from that threat, it behoves you to check that you are actually getting some protection from that threat
You started this thread about Firestarter, and I was dragging it to the wider subject of 'Do i have protection, irrespective of what the particular front end is?'. If you were interested in this, either a change of title or a new thread might be appropriate.
Quote:
Originally Posted by mikeb380
...suggested that a. you should have a firewall & b. Firestarter was a good choice. Don't remember who it was, but I thought it was someone with some expertise.
I can't comment on b), but a) is correct. But that is not to say that every firewall is correctly configured, nor that it is doing what you expect.
Quote:
Originally Posted by mikeb380
Once I have some more linux under my belt I'll try to learn more about firewalls.
That is a worthwhile objective. I would argue that it is not as hard as people, generally, think and that everyone should know something about iptables.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.