I did Internet search--a bit too abstruse for me ...
I like apf better than firestarter that I had before, because now all ports are "stealth" according to www.grc.com; all but port 22 that is open now.
Also - I can no longer use gftp, mutt, and some websites (including playing some Internet radio) while apf is enabled.
I run Debian stable machine.
Thanks, Hearthstone.

OMG!!! One or more ports on this system are operating in FULL STEALTH MODE! "Stealth" was a craze of the past millennium ;-p


While desktop applications like Firestarter have their purpose working with Netfilter, simply put, requires understanding of iptables rules (see the "Frozentux" tutorial: http://www.frozentux.net/documents/iptables-tutorial/). Using APF is a choice you make. It does not and should not give you the idea that using an application that's promoted with marketoid language and running a gazillion scripts somehow no longer requires you to understand iptables basics. On top of that if you use APF then you should consult the documentation it comes with first.

If you want to see what your current rule set looks like start by saving it with say
[code]iptables-save > /tmp/iptables.txt[code]and then reading it with your favorite text editor or tryand maybe attach "/tmp/iptables.txt" to your next reply.

Strangest thing happened--I reinstalled apf-firewall, and lo, behold: as far as I can notice, I can now connect to all my Internet radio stations, mutt works, gftp works, ...

The reason that I do not learn about iptables and such is that I just want to *use* my computers--if apf takes care of iptables for me, the better!

The reason I use Linux is that some years back I was unhappy with Windows (and still am) and Linux was the alternative. At first I liked learning about Linux, but as I am getting older, the less I sit in front of the thing, the more I like it; hence if apf does the job, I am happy.

All is well now (for the time being), only the port 22 is open; But I will do some Internet search and find a way how to close it, eventually.

Btw--what's wrong with ports being "stealth"?

Thanks, Hearthstone.

The reflex to remove and re-install software to make things work often points to 0) the idea that practices learned using another OS are similar and should translate to similar actions when using Linux, or 1) the inability to diagnose a problem properly or 2) an unwillingness to do things "the Linux way". The practice is very rarely necessary.


If "happy" is an objective criterion to rate ones machines security posture with, sure.


Just shut down the SSH daemon.


While "stealth" sounds nice it just means not responding to ICMP and traceroute requests. It has nothing to do with security: it only obscures a system. Said differently: time spent tackling real security issues or concerns is time well-invested.

The reason that I reinstalled apf-firewall is that with that I removed all my previous configurations, and, in my view, starting "from the scratch" is, at times, most expedient way to get things done.

I removed openssh-server and all is well--the port 22 is closed according to grc.com.
sshd is/was not installed on my machine.

Thank you, Hearthstone.