FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-03-2011, 03:42 AM
"Russell L. Harris"
 
Default firewall package for laptop wi-fi client

I need recommendations for a Debian firewall package to be installed
on a laptop or notebook which is used for web browsing and web-based
email in public wi-fi hotspots.

My concern is to prevent infection or compromise of the laptop, so
that the laptop may be connected safely to a home or
office LAN which is protected by a dedicated firewall.

My previous experience with firewalls has been limited to dedicated
machines running firewall software such as SmoothWall.

RLH


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110103044227.GA2635@rlharris.org">http://lists.debian.org/20110103044227.GA2635@rlharris.org
 
Old 01-03-2011, 07:17 AM
"tv.debian@googlemail.com"
 
Default firewall package for laptop wi-fi client

On the 03/01/2011 05:42, Russell L. Harris wrote:
> I need recommendations for a Debian firewall package to be installed
> on a laptop or notebook which is used for web browsing and web-based
> email in public wi-fi hotspots.
>
> My concern is to prevent infection or compromise of the laptop, so
> that the laptop may be connected safely to a home or
> office LAN which is protected by a dedicated firewall.
>
> My previous experience with firewalls has been limited to dedicated
> machines running firewall software such as SmoothWall.
>
> RLH
>
>

Hello, if you are looking for a graphical front end you can look at
gufw, firestarter and guarddog. For text based tools I ear good things
about shorewall.
But if you do only web browsing and email and don't run any web-facing
services you should be fine anyway. The major threats are web browser
security holes (update often) especially through flash and java
plug-ins, and pdf. Hosting windows virus in mails attachments can also
be a problem if you have win machines on the lan, virus scanner clamav
can help here.
Firewall alone won't protect you from man in the middle and such
niceties on open untrusted networks.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D218609.4090705@googlemail.com">http://lists.debian.org/4D218609.4090705@googlemail.com
 
Old 01-03-2011, 08:55 AM
"Russell L. Harris"
 
Default firewall package for laptop wi-fi client

* tv.debian@googlemail.com <tv.debian@googlemail.com> [110103 09:24]:

> Hello, if you are looking for a graphical front end you can look at
> gufw, firestarter and guarddog. For text based tools I ear good things
> about shorewall.

I am looking for a package which is easy to configure, whether text or
gui; in this respect firestarter looks good.



> But if you do only web browsing and email and don't run any
> web-facing services you should be fine anyway.

I do not understand; what is a "web-facing service"?



> The major threats are web browser security holes (update often)
> especially through flash and java plug-ins, and pdf.

Flash and java are in most web pages. Does a firewall not protect
against these threats? or are browser updates necessary even with a
firewall?



> Hosting windows virus in mails attachments can also be a problem if
> you have win machines on the lan, virus scanner clamav can help
> here.

This is a Window$-free environment.



> Firewall alone won't protect you from man in the middle and such
> niceties on open untrusted networks.

Understood. This need is for socializing around the table at
StarBucks, Internet cafes, etc.

Thanks.

RLH



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110103095545.GB3539@rlharris.org">http://lists.debian.org/20110103095545.GB3539@rlharris.org
 
Old 01-03-2011, 09:02 AM
Jari Fredriksson
 
Default firewall package for laptop wi-fi client

On 3.1.2011 11:55, Russell L. Harris wrote:

>
>> The major threats are web browser security holes (update often)
>> especially through flash and java plug-ins, and pdf.
>
> Flash and java are in most web pages. Does a firewall not protect
> against these threats? or are browser updates necessary even with a
> firewall?
>

Most web sites today do NOT have Java Applets. Javascript is NOT Java.
Totally different concept, and that is very common, almost 100% of web
sites do has Javascript.

Firewall does not protect from Web Browser vulnerabilities, browser
updates are must.

--

Tomorrow, this will be part of the unchangeable past but fortunately,
it can still be changed today.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D219ED2.60204@iki.fi">http://lists.debian.org/4D219ED2.60204@iki.fi
 
Old 01-03-2011, 09:20 AM
Andrei Popescu
 
Default firewall package for laptop wi-fi client

On Lu, 03 ian 11, 09:55:45, Russell L. Harris wrote:
>
> > But if you do only web browsing and email and don't run any
> > web-facing services you should be fine anyway.
>
> I do not understand; what is a "web-facing service"?

For example a web server (apache) or some other services accessible from
outside (ftp, ssh, file-sharing, ...). A counter-example would be cups
(the print server) which by default only accepts connections from the
same machine.

> > The major threats are web browser security holes (update often)
> > especially through flash and java plug-ins, and pdf.
>
> Flash and java are in most web pages. Does a firewall not protect
> against these threats? or are browser updates necessary even with a
> firewall?

A firewall is just an additional layer of protection against possible
intruders, but it will not protect you against malware that affects
programs which access the internet "over" the wall (like browsers and
other *client* software) or software listening behind doors (ports)
which you have opened on purpose, to make that software (service)
accessible from the internet (like the web server above).

> > Hosting windows virus in mails attachments can also be a problem if
> > you have win machines on the lan, virus scanner clamav can help
> > here.
>
> This is a Window$-free environment.

As long as you don't run programs from outside Debian you can be 99,...%
sure that your own software doesn't play ugly tricks on you, as many
proprietary softwares do.

Unfortunately the Adobe flash plugin is not from Debian (even though you
can install it with the flashplugin-nonfree helper package from contrib)
and has had vulnerabilities in the past

> > Firewall alone won't protect you from man in the middle and such
> > niceties on open untrusted networks.
>
> Understood. This need is for socializing around the table at
> StarBucks, Internet cafes, etc.

Maybe you could go into details about what software you are using, in
order to get more specific recommendations.

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 01-03-2011, 10:08 AM
Jochen Schulz
 
Default firewall package for laptop wi-fi client

Russell L. Harris:
> * tv.debian@googlemail.com <tv.debian@googlemail.com> [110103 09:24]:
>
>> But if you do only web browsing and email and don't run any
>> web-facing services you should be fine anyway.
>
> I do not understand; what is a "web-facing service"?

It is a program accepting random connections from arbitrary source
addresses ("the internet"), like a web/FTP/mail server. In order to
check which programs listens on which port, post the output from
'netstat -tulpn' (run as root).

You should be aware that most people in here translate "firewall" as
"packet filter". Configuring a packet filter requires knowledge of
TCP/IP networking, so if you don't understand the term above, but still
feel the need to "secure" your system, you will need to learn about
that.

>> The major threats are web browser security holes (update often)
>> especially through flash and java plug-ins, and pdf.
>
> Flash and java are in most web pages. Does a firewall not protect
> against these threats?

If firewall == "packet filter": No. Otherwise: Maybe, but probably not.

> or are browser updates necessary even with a firewall?

Absolutely!

>> Firewall alone won't protect you from man in the middle and such
>> niceties on open untrusted networks.
>
> Understood. This need is for socializing around the table at
> StarBucks, Internet cafes, etc.

Check for open ports (see the netstat-command above), always install the
latest upgrades and make sure to use encrypted connections whenever
possible.

J.
--
If I could travel in time I would show my minidisc to the Romans and
become Caesar until the batteries ran out.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
 
Old 01-03-2011, 10:28 AM
"tv.debian@googlemail.com"
 
Default firewall package for laptop wi-fi client

On the 03/01/2011 10:55, Russell L. Harris wrote:
> * tv.debian@googlemail.com <tv.debian@googlemail.com> [110103 09:24]:
>
>> Hello, if you are looking for a graphical front end you can look at
>> gufw, firestarter and guarddog. For text based tools I ear good things
>> about shorewall.
>
> I am looking for a package which is easy to configure, whether text or
> gui; in this respect firestarter looks good.

Any will do, they default to allow out going connections but block
inbound ones, sometimes with additional warnings/logging when a port
scanning pattern or brute-force attack is detected.

>
>
>
>> But if you do only web browsing and email and don't run any
>> web-facing services you should be fine anyway.
>
> I do not understand; what is a "web-facing service"?

Anything listening on a port that is designed to accept connections from
the "outside" (Internet). Could be any "server" like ftp, http server
(apache...). Usually you are fine in Debian unless you purposefully
install such a service and open the corresponding ports in your firewall.
>
>
>
>> The major threats are web browser security holes (update often)
>> especially through flash and java plug-ins, and pdf.
>
> Flash and java are in most web pages. Does a firewall not protect
> against these threats? or are browser updates necessary even with a
> firewall?

Flash is everywhere, the plugin is a proprietary closed-source beast
known for being a security nightmare. Flash is also a power hog on
laptops battery so if you can live without...

Java isn't really common, but some sites requires to run java "applets"
to login, some offer games through java, you can live without a java (or
openjdk) plug-in more easily than flash.
Don't get mixed-up with javascript, which is a different technology. For
that one use a browser extension like "NoScript" which gives you sane
default and allows for better control.

>
>
>> Hosting windows virus in mails attachments can also be a problem if
>> you have win machines on the lan, virus scanner clamav can help
>> here.
>
> This is a Window$-free environment.
Nice ;-)

>
>
>
>> Firewall alone won't protect you from man in the middle and such
>> niceties on open untrusted networks.
>
> Understood. This need is for socializing around the table at
> StarBucks, Internet cafes, etc.
>
> Thanks.
>
> RLH
>

Best security is achieved though understanding what's running on the
machine, and how most common "threats" work.
By design open password-less networks are insecure, but the risk remains
low unless you are a known valuable target. The probability of someone
eavesdropping you passwords or stealing your laptop is higher !

I wouldn't do my internet banking/shopping over such a network though...


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D21B2D9.3050501@googlemail.com">http://lists.debian.org/4D21B2D9.3050501@googlemail.com
 
Old 01-03-2011, 09:28 PM
"tv.debian@googlemail.com"
 
Default firewall package for laptop wi-fi client

On the 03/01/2011 05:42, Russell L. Harris wrote:
> I need recommendations for a Debian firewall package to be installed
> on a laptop or notebook which is used for web browsing and web-based
> email in public wi-fi hotspots.
>
> My concern is to prevent infection or compromise of the laptop, so
> that the laptop may be connected safely to a home or
> office LAN which is protected by a dedicated firewall.
>
> My previous experience with firewalls has been limited to dedicated
> machines running firewall software such as SmoothWall.
>
> RLH
>
>

Off topic for Debian but relevant to your question I came across an
article today in Ars Technica :
http://arstechnica.com/security/guides/2011/01/stay-safe-at-a-public-wi-fi-hotspot.ars

Might be worth reading if you are in the blue regarding security
implications of open networks.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D224D88.6080901@googlemail.com">http://lists.debian.org/4D224D88.6080901@googlemail.com
 
Old 01-04-2011, 10:19 AM
Andrei Popescu
 
Default firewall package for laptop wi-fi client

On Lu, 03 ian 11, 12:28:25, tv.debian@googlemail.com wrote:
>
> I wouldn't do my internet banking/shopping over such a network though...

Would you care to explain why you find an open wireless to be more
dangerous than your regular internet connection?

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 01-04-2011, 10:31 AM
Eduardo M KALINOWSKI
 
Default firewall package for laptop wi-fi client

On Ter, 04 Jan 2011, Andrei Popescu wrote:

Would you care to explain why you find an open wireless to be more
dangerous than your regular internet connection?


Because anyone nearby with a laptop can sniff the traffic, unlike with
a regular cabled internet connection or a password protected wireless
network (in which traffic in encrypted)?



--
By nature, men are nearly alike; by practice, they get to be wide apart.
-- Confucius

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 20110104093152.46997afrbqyd622o@mail.kalinowski.co m.br">http://lists.debian.org/20110104093152.46997afrbqyd622o@mail.kalinowski.co m.br
 

Thread Tools




All times are GMT. The time now is 06:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org