FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-04-2012, 08:52 PM
Brad Alexander
 
Default firewall

On Wed, Jul 4, 2012 at 3:46 PM, Joe <joe@jretrading.com> wrote:
> On Wed, 4 Jul 2012 18:11:14 +0100
> Lisi <lisi.reisz@gmail.com> wrote:
>
>> On Wednesday 04 July 2012 17:14:29 Brad Alexander wrote:
>> > The third reason we
>> > are not in the same boat as windows is that we have a much smaller
>> > attack surface than Windows. Windows still has over 90% penetration
>> > on the desktop, Therefore, they are the low hanging fruit.
>>
>> How, then, do you explain the fact that Windows servers, which have a
>> penetration of less than 50%, suffer on the Internet as do Windows
>> home users, whilst Unix and family servers, which have over 50%
>> penetration, still suffer from _far_ less malware?
>>
>
> All kinds of reasons, beginning with the fact that most malware
> designed for Windows desktops works just fine on the servers, too,
> though I think most servers are somewhat better protected than a home
> PC. People don't sit in front of them and surf the Web, for one thing
> (at least not in sensible companies).
>
> But while there are excellent Windows admins, the fact is that it is a
> point-and-click environment, with qualifications obtainable from exams
> marked by computer, and hence multiple-choice. I'm not suggesting the
> exams are trivial, but by their nature they ask go-nogo questions, and
> the questions are mostly based on operating the Windows dialogue boxes.
>
> Microsoft has made its billions by making computers relatively easy to
> use, so you can go a long way as a junior admin or consultant by just
> knowing the right box to tick. There is a relatively small amount you
> can do wrong.

Excellent points, Joe. In addition, Windows was designed from the
ground up as a single-user operating system, which means that all of
the files on a system were accessible by the user. Then, over the
course of time security and file restrictions were bolted on.
Unix/Linux, OTOH, were designed as multiuser environments. So the
concept of file permissions, root-only parts of the filesystem and so
forth were baked in early on. The latter approach is far easier to
maintain/enhance than the former.

Add to that the fact that MS (and apple) packs software in a black box
and tosses it over the wall to consumers. This means any vulnerability
that the Bad Guys are able to reverse engineer are in the wild until
the company gets around to patching it. Which is something MS has
gotten very, very good at over the years. Call it reactive security.
With Open Source software, OTOH, anyone can find a problem and fix it.
Consequently, in a lot of cases, the fix for a problem is included
with the description of the problem. No, this does not happen all of
the time, witness the recent authentication bypass in MySQL or the
kernel bug that was there for 8 years...But then again, there is a bug
in the 16-bit code in windows that was first reported in 1994 that MS
says that they will not fix...So there are corner cases on both sides.

> The bottom line is that Linux is significantly harder to drive than
> Windows (and I've dabbled with Server 2000, 2003 and 2008, and a few
> Red Hats, Mandrakes and Debians) and the admins are likely to know
> more about what they're actually doing, because they need to.

I disagree with this. I have been doing Linux almost exclusively since
1998, and in fact, have only had a windows box on my desk for a total
of 1 year in that period. I'm as lost in a windows environment as a
windows user would be if dropped cold-turkey into Linux.

--b


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAKmZw+YgX3gSREFKT_6-Cunj9e3jOVcvK9pWy4=QD4P_pUzmBg@mail.gmail.com
 
Old 07-04-2012, 08:54 PM
Adrian Fita
 
Default firewall

On 04/07/12 10:31, Mika Suomalainen wrote:
> On 04.07.2012 06:19, lina wrote:
>>
>> I don't know which firewall (http://wiki.debian.org/Firewalls) I
>> should choose.
>>
>> [...]
>>
> I recommend UFW. It's simple to use and does everything what firewall
> should do in my opinion.
>
> All commands are like "ufw allow 22/tcp" (allows connections to SSH port).
>
> It also has gui called GUFW.

Agreed. This is what I use. ufw is great for home PC/laptop use. And the
GUI, GUFW makes it as easy as a firewall can be. Fire and forget. Of
course, knowing a bit about iptables is recommended, to understand what
happens behind the scenes.

firestarter is also nice and easy to work with.

--
Adrian Fita


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FF4AD95.4080502@gmail.com">http://lists.debian.org/4FF4AD95.4080502@gmail.com
 
Old 07-04-2012, 09:05 PM
Tom H
 
Default firewall

On Wed, Jul 4, 2012 at 4:04 AM, Joe <joe@jretrading.com> wrote:
>
> Most ports can be closed by configuration, even the infamous portmap
> can be limited to localhost if you're not using it externally e.g. for
> NIS or NFS. If you have a standalone Linux machine in a foreign
> network, pretty much everything can be closed.

With nfsv4, you don't have to expose 111; you can just have 2049 open
(I've never tried to close 111 with nfsv3; perhaps it works too).


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAOdo=SxTQAJjxOu0pdXWQJXu-uMwjLJNtVo01f93BLaSdOcNXA@mail.gmail.com
 
Old 07-04-2012, 09:11 PM
Tom H
 
Default firewall

On Wed, Jul 4, 2012 at 3:38 AM, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
>
> *chuckle* A trillion years ago I used a firewall myself. "Ports" are an
> issue, I wasn't able to down- or upload by ftp. BUT, How many serious
> attacks did you notice around the last 30 days?

Your aversion to security is interesting. You dismissed selinux in a
previous thread and are now belittling iptables. Why don;t just
publish your username and password on the net if you think that there
are no dangers out there?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAOdo=SzSbr51O2jL_xDvcMb=Oxc+uTHV0YZUEpR_ki0agSdjE g@mail.gmail.com
 
Old 07-04-2012, 09:31 PM
Brian
 
Default firewall

On Wed 04 Jul 2012 at 11:19:06 +0800, lina wrote:

> I don't know which firewall (http://wiki.debian.org/Firewalls) I
> should choose.
>
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.

You can either manipulate netfilter directly with iptables or have
something else (like the suggested ufw or gufw) do it for you. using
iptables is not for the faint hearted.

Alternatively, you could detail why you need a firewall. The only reason
you have given up to now is fear. This leads to strange things being
done: for example, your 'iptables -L' output in another post shows
connections to a webserver and sshd being accepted from anywhere, as are
ICMP requests. Nothing wrong with that. But why bother with an iptables
rule if that is what you had in the first place?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120704213108.GA28931@desktop
 
Old 07-04-2012, 10:04 PM
Brian
 
Default firewall

On Wed 04 Jul 2012 at 12:14:29 -0400, Brad Alexander wrote:

> On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> >
> > To answer drily: Test them and report what firewall does protect you the
> > best against no attacks. Linux for home usage was safe, is safe, will be
> > safe. Yes, it's safe regarding to things I criticize. I don't criticize
> > protection per se, I only worry about toooo much security for nothing.
>
> I disagree. Its about defense in depth. Because what happens if you

A commonly used phrase - military in origin, I imagine. One day I must
investigate how a firewall can protect my mail server. Until then I will
just continue to accept connections from anywhere.

> get a piece of bad software that opens a vulnerability? And yes, that

I'd rather you were specific here about the sort of vulnerability in the
service you are thinking about but, talking in general and using Debian,
the fix would become available, you would download it and move on. No
problem, no fuss, no firewall needed.

[Snip]

> So a piece of bad software gets introduced into the repos. It could
> happen...And having a firewall in place (an external firewall would
> have the advantage of not being able to be turned off by said
> malware).

A firewall will not give protection from a software defect in a running
service. Not unless you lock the service down so much it becomes
useless.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120704220425.GB28931@desktop
 
Old 07-04-2012, 10:39 PM
Brian
 
Default firewall

On Wed 04 Jul 2012 at 08:21:10 -0400, Eike Lantzsch wrote:

> OK, I see that this might be flamebait ...
>
> On Tuesday 03 July 2012 23:19:06 lina wrote:
> > Hi,
> >
> > I don't know which firewall (http://wiki.debian.org/Firewalls) I should
> > choose.
> >
> > Thanks ahead for recommendation, and it will be very nice if you tell
> > me why you recommend this one.
> >
> > Best regards,
>
> It seems that you want a firewall on the computer which you are working with.
> As regards to closing unnecessary ports or limiting them to localhost, Joe
> gave good advice already.

The very best way of closing a port is to shut down the service or
remove it from the machine. I cannot think of a single service which
doesn't allow connections to be limited without the use of a firewall.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120704223924.GC28931@desktop
 
Old 07-05-2012, 01:45 AM
Brad Alexander
 
Default firewall

On Wed, Jul 4, 2012 at 6:04 PM, Brian <ad44@cityscape.co.uk> wrote:

> A commonly used phrase - military in origin, I imagine. One day I must
> investigate how a firewall can protect my mail server. Until then I will
> just continue to accept connections from anywhere.

I will give you an example of this. Your mailserver runs, say,
roundcube or some other webmail. You want port 80 (or 443) available
on your local LAN, but not to the internet. A perimeter firewall could
block access from outside your perimeter. Just as an example. Or for
that matter, you could insert imap/imaps, pop3/pop3s, etc.

>> get a piece of bad software that opens a vulnerability? And yes, that
>
> I'd rather you were specific here about the sort of vulnerability in the
> service you are thinking about but, talking in general and using Debian,
> the fix would become available, you would download it and move on. No
> problem, no fuss, no firewall needed.

Using the above example, suppose your mail server had to run sendmail
(I know, a stretch nowadays, but in the not-to-distant past, a
distinct possibility). Sendmail had a tradition of having more holes
than Swiss cheese, and vulnerabilities were fixed almost weekly. When
a new version was uploaded to the repos, I guarantee not all of the
holes had been fixed.

This is the concept of the 0day vulnerability. An unknown, unpublished
vulnerability. A firewall *might* help blunt a possible attack or
block an attack vector.

But it is a game of chances. As I have told people before, "Security
times usability is a constant: The only secure system is one that
is unplugged from the network, powered off, packed in concrete, and
fired into the sun...But at that point, it isn't very usable, is it?"

--b

> [Snip]
>
>> So a piece of bad software gets introduced into the repos. It could
>> happen...And having a firewall in place (an external firewall would
>> have the advantage of not being able to be turned off by said
>> malware).
>
> A firewall will not give protection from a software defect in a running
> service. Not unless you lock the service down so much it becomes
> useless.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20120704220425.GB28931@desktop
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAKmZw+Ya3PfoN4RoBbX2JGtDzgM52-_JKtNGAqzr6LOWCAFeAg@mail.gmail.com">http://lists.debian.org/CAKmZw+Ya3PfoN4RoBbX2JGtDzgM52-_JKtNGAqzr6LOWCAFeAg@mail.gmail.com
 
Old 07-05-2012, 03:51 AM
lina
 
Default firewall

On Thu, Jul 5, 2012 at 5:31 AM, Brian <ad44@cityscape.co.uk> wrote:
> On Wed 04 Jul 2012 at 11:19:06 +0800, lina wrote:
>
>> I don't know which firewall (http://wiki.debian.org/Firewalls) I
>> should choose.
>>
>> Thanks ahead for recommendation, and it will be very nice if you tell
>> me why you recommend this one.
>
> You can either manipulate netfilter directly with iptables or have
> something else (like the suggested ufw or gufw) do it for you. using
> iptables is not for the faint hearted.
>
> Alternatively, you could detail why you need a firewall. The only reason
> you have given up to now is fear. This leads to strange things being
> done: for example, your 'iptables -L' output in another post shows
> connections to a webserver and sshd being accepted from anywhere, as are
> ICMP requests. Nothing wrong with that. But why bother with an iptables
> rule if that is what you had in the first place?
Indeed, I found actually the system is no much difference than before
under current iptable configuration.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20120704213108.GA28931@desktop
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJm=EAop_VAorE8X9CB8V3in2mcQxCmNYHE5ShD87jKG3V w@mail.gmail.com
 
Old 07-05-2012, 08:05 AM
Anthony Campbell
 
Default firewall

On 04 Jul 2012, Brad Alexander wrote:
> On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> > On Wed, 2012-07-04 at 11:19 +0800, lina wrote:
> >> Hi,
> >>
> >> I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose.
> >>
> >> Thanks ahead for recommendation, and it will be very nice if you tell
> >> me why you recommend this one.
> >
> > To answer drily: Test them and report what firewall does protect you the
> > best against no attacks. Linux for home usage was safe, is safe, will be
> > safe. Yes, it's safe regarding to things I criticize. I don't criticize
> > protection per se, I only worry about toooo much security for nothing.
>
> I disagree. Its about defense in depth. Because what happens if you
> get a piece of bad software that opens a vulnerability? And yes, that
> could happen to a home Linux user as easily as a corporate one, since
> they are using the same update mechanisms. In fact, I would posit that
> a home user could be at *more* risk, since, in theory, a corporate
> user would be limited in the amount and types of software
> installed...Corporate server vs home workstation.
>



I have a home network. A few years ago I was attacked and the ownership
of some files was changed. I restoreed them to normal and it happened
again, so I reinstalled. Since then I've been using sborewall and there
have been no further intrusions.


AC


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705080519.GA6527@acampbell.org.uk">http://lists.debian.org/20120705080519.GA6527@acampbell.org.uk
 

Thread Tools




All times are GMT. The time now is 02:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org