Hi !

I am an experienced redHat/Fedora sysadmin but I'm completely new to ubuntu/debian world and the-way-the-things-works.
I am trying to understand a few things. One of them is security related.

Is AppArmor an extra security layer that protects individual services based in what is the normal and expected behavior, right ? Why it is disabled in all run levels expect level 6 (reboot?) ? Should I enable it on all run-levels ? Should I select which service to protect or the defaults are fine ?

Is netfilter, the basic packet filter on Ubuntu 9.10 ?
I founded iptables and I installed firestarter, but looks like firestarter is protecting nothing from outside, based on this iptables -L output:
This is right ? The default policy is DROP but there is a rule that allows anything from anywhere ??? This make any sense ?

And finally, what is ufw and why it is disabled in all runlevels ?
Is ufw a replacement for iptables, or firestarter or it is a completely new animal ?
Should I use ufw instead firestarter ?

I am impressed about how different is Ubuntu/debian from other RH based distros. I just realize how much I have to learn about this new stuff....

thanks for the enlightenment,

UFW: https://wiki.ubuntu.com/Uncomplicate...UbuntuFirewall

UFW is "Uncomplicated Firewall" and according to the website it utilizes the netfilter packet-filtering system with iptables commands.

Firestarter was Ubuntu's primary firewall app prior to 8.04 (Hardy Heron) but has been replaced by UFW.

AppArmor is like a modernized form of SELinux, but seems to offer more control of individual applications. It is probably disabled at boot to allow applications root access just long enough to get the system up and running. Then privileges are dropped to user level once that access is no longer needed.

AppArmor: https://wiki.ubuntu.com/AppArmor

It is an extra security layer and my interpretation is more that it is to protect you from the services/applications based on their expected/allowed behaviour. So, if, say, your word processor was compromised by downloading a file with nasty things in it (or someone squirted nasty data at your DNS server), the app would be sandboxed to stop the breach spreading out further, limiting the 'bad guys' ability to privilege escalate a small breach into a big one.

It should be easier to get to grips with and configure than SELinux.
This
https://help.ubuntu.com/community/AppArmor is an example of what I found when I did a google search on "app armor tutorial" and you certainly read one or more of those.

The various different things listed as 'firewalls' on Linux are almost always 'easy to use' front ends to iptables. So, if your iptables ruleset is 'bad', it doesn't matter what tool you have created the ruleset with, its a bad ruleset. Additionally, with one of the GUI things, you don't have to keep running the GUI part; you only have to run it once to generate the ruleset and from then on, its just a matter of running the ruleset (just the same way as you could/should/would run the ruleset if it was generated from, eg, a bash script...although you could regenerate on, eg, every boot, if you thought the various IP adresses would change).

Oh, and on a security paranoia front (security paranoia - good, where normal paranoia = bad, arguably), you might choose to run the iptables rule generator bit on a different machine from the firewall machine, so that if your firewall box does get compromised you don't get your rule generation compromised.


e16 or e17?