> On Wed, Jul 4, 2012 at 3:38 AM, Ralf Mardorf <ralf.mardorf@alice-dsl.net>
> wrote:
>>
>> *chuckle* A trillion years ago I used a firewall myself. "Ports" are an
>> issue, I wasn't able to down- or upload by ftp. BUT, How many serious
>> attacks did you notice around the last 30 days?
>
> Your aversion to security is interesting. You dismissed selinux in a
> previous thread and are now belittling iptables. Why don;t just
> publish your username and password on the net if you think that there
> are no dangers out there?

Yes!
With a big text file with all your bank account passwords and other highly
sensitive information, along with details of imaginary deals with the PLO
in supplying them with container loads of automatic weaponry, and get back
to us when your social life develops in interesting directions.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> Archive:
> http://lists.debian.org/CAOdo=SzSbr51O2jL_xDvcMb=Oxc+uTHV0YZUEpR_ki0agSdjE g@mail.gmail.com
>
>


--


Religion is regarded by the common people as true,
by the wise as false,
and by the rulers as useful.

— Lucius Annæus Seneca.

Terrorism, the new religion.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 6a547b363875d9be027937c028fd6090.squirrel@fruiteat er.riseup.net">http://lists.debian.org/6a547b363875d9be027937c028fd6090.squirrel@fruiteat er.riseup.net

On 2012-07-05 10:05, Anthony Campbell wrote:


On 04 Jul 2012, Brad Alexander wrote:
On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
On Wed, 2012-07-04 at 11:19 +0800, lina wrote:
Hi, I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose. Thanks ahead for recommendation, and it will be very nice if you tell me why you recommend this one.
To answer drily: Test them and report what firewall does protect you the best against no attacks. Linux for home usage was safe, is safe, will be safe. Yes, it's safe regarding to things I criticize. I don't criticize protection per se, I only worry about toooo much security for nothing.
I disagree. Its about defense in depth. Because what happens if you get a piece of bad software that opens a vulnerability? And yes, that could happen to a home Linux user as easily as a corporate one, since they are using the same update mechanisms. In fact, I would posit that a home user could be at *more* risk, since, in theory, a corporate user would be limited in the amount and types of software installed...Corporate server vs home workstation.

I have a home network. A few years ago I was attacked and the ownership
of some files was changed. I restoreed them to normal and it happened
again, so I reinstalled. Since then I've been using sborewall and there
have been no further intrusions.


AC




Your problem is not a firewall problem. Firewall doesn't mean IPS/IDS or L7 Filter.Â* Also a firewall must be a netfilter, NAT, routing etc.


Inbound or outbound network traffic and packets are permitted or blocked/rejected orÂ* port forwarding by firewall.


If there is a vulnerability on your OS or apps you must use IPS/IDS or L7 filter or UTM (netfilter + ips + any stuff...)Â*

--

/**
* @author Atıf CEYLAN
* Software Developer & System Admin
* http://www.atifceylan.com
*/

On Wed, Jul 04, 2012 at 04:52:10PM -0400, Brad Alexander wrote:
> Excellent points, Joe. In addition, Windows was designed from the ground up
> as a single-user operating system, which means that all of the files on a
> system were accessible by the user.

This is not true for the NT-based Windows systems, i.e. all of them released in
the last 11 years.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120705123653.GA32553@debian

Your reply (the text/plain portion) was completely illegible I'm afraid. Please
refrain from sending HTML mail.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120705123811.GB32553@debian

On 07/05/2012 08:31 AM, Atıf CEYLAN wrote:


On 2012-07-05 10:05, Anthony Campbell wrote:


On 04 Jul 2012, Brad Alexander wrote:
On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf
<ralf.mardorf@alice-dsl.net <mailto:ralf.mardorf@alice-dsl.net>> wrote:

On Wed, 2012-07-04 at 11:19 +0800, lina wrote:
Hi, I don't know which firewall (http://wiki.debian.org/Firewalls)
I should choose. Thanks ahead for recommendation, and it will be
very nice if you tell me why you recommend this one.
To answer drily: Test them and report what firewall does protect
you the best against no attacks. Linux for home usage was safe, is
safe, will be safe. Yes, it's safe regarding to things I criticize.
I don't criticize protection per se, I only worry about toooo much
security for nothing.
I disagree. Its about defense in depth. Because what happens if you
get a piece of bad software that opens a vulnerability? And yes,
that could happen to a home Linux user as easily as a corporate one,
since they are using the same update mechanisms. In fact, I would
posit that a home user could be at *more* risk, since, in theory, a
corporate user would be limited in the amount and types of software
installed...Corporate server vs home workstation.

I have a home network. A few years ago I was attacked and the ownership
of some files was changed. I restoreed them to normal and it happened
again, so I reinstalled. Since then I've been using sborewall and there
have been no further intrusions.


AC



Your problem is not a firewall problem. Firewall doesn't mean IPS/IDS
or L7 Filter. Also a firewall must be a netfilter, NAT, routing etc.


Inbound or outbound network traffic and packets are permitted or
blocked/rejected or port forwarding by firewall.


If there is a vulnerability on your OS or apps you must use IPS/IDS or
L7 filter or UTM (netfilter + ips + any stuff...)


--
For someone who doesn't understand firewalls in the first place--I'm
one, also--your answer might as well be written in Chinese!


--doug


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4FF61484.9030303@optonline.net">http://lists.debian.org/4FF61484.9030303@optonline.net

On Thursday 05 July 2012 18:26:12 Doug wrote:
> On 07/05/2012 08:31 AM, Atıf CEYLAN wrote:
> > On 2012-07-05 10:05, Anthony Campbell wrote:
> >> On 04 Jul 2012, Brad Alexander wrote:
> >>> On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf
> >>>
> >>> <ralf.mardorf@alice-dsl.net <mailto:ralf.mardorf@alice-dsl.net>> wrote:
> >>>> On Wed, 2012-07-04 at 11:19 +0800, lina wrote:

<humour>

[snip Lina's request for recommendation on firewalls]

[snip Ralf Mardorf's dry answer]

[snip Brad Alexander's disagreement]

[snip Anthony Campbell's anecdotal experience]

[Atif CEYLAN's statement follows]
> > Your problem is not a firewall problem. Firewall doesn't mean IPS/IDS
> > or L7 Filter. Also a firewall must be a netfilter, NAT, routing etc.
> >
> > Inbound or outbound network traffic and packets are permitted or
> > blocked/rejected or port forwarding by firewall.
> >
> > If there is a vulnerability on your OS or apps you must use IPS/IDS or
> > L7 filter or UTM (netfilter + ips + any stuff...)

IDS = Intrusion Detection System
IPS = Intrusion Prevention System
L7-Filter see https://en.wikipedia.org/wiki/L7-filter
UTM can be anything from "Unified Threat Management" over "University of
Toronto at Mississauga (Canada)" to "Universal Transport Medium"
see http://www.acronymfinder.com/UTM.html
HTH
SCNR
GWPF

[Doug's puzzled comment follows]
>
> For someone who doesn't understand firewalls in the first place--I'm
> one, also--your answer might as well be written in Chinese!
>
> --doug

</humour>

Kind regards, Eike


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201207052010.38237.zp6cge@gmx.net">http://lists.debian.org/201207052010.38237.zp6cge@gmx.net

On Mi, 04 iul 12, 15:16:10, Jon Dowland wrote:
>
> Except on Debian you are required to do a fair amount of work to make
> your rules persistent across reboots and ensure you get ordering right
> to not lock yourself out of the box (if remote): all problems that
> do not exist if you install and use ufw.

apt-cache show iptables-persistent

Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

On Fri, Jul 06, 2012 at 05:39:47PM +0300, Andrei POPESCU wrote:
> On Mi, 04 iul 12, 15:16:10, Jon Dowland wrote:
> >
> > Except on Debian you are required to do a fair amount of work to make
> > your rules persistent across reboots and ensure you get ordering right
> > to not lock yourself out of the box (if remote): all problems that
> > do not exist if you install and use ufw.
>
> apt-cache show iptables-persistent

I didn't know about that - about time someone did it!

My point still stands though, since this is not out-of-the-box. Also read
the long description:

> "Since this is aimed at experienced administrators, there is no configuration
wizard."


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120706144747.GB10959@debian

On Wed, Jul 04, 2012 at 11:19:06AM +0800, lina wrote:
> Hi,
>
> I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose.
>
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.

Have a read of:
http://www.debian-administration.org/articles/552

--
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
oppressing." --- Malcolm X


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120710231854.GE3873@tal

On Wed, Jul 04, 2012 at 11:19:06AM +0800, lina wrote:
> Hi,
>
> I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose.
>
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.

>From other posts on this thread, it sounds like you've made
progress.

I'll just add a plug for firestarter, as no one else has
mentioned it. This is by far the easiest.

I configured it quickly with the wizard, then
discovered my IMAP connection wasn't going through. In the
Events list I could see that port 993 was being blocked. I
edited the rule to add port 993 to the IMAP line. Done.

iptables -L -n

shows a much more complicated set of rules than I could
understand or configure myself -- at least without
devoting a great deal of time to it.

OTOH, my use case is rather simple, a noteback behind
a router, so I don't need the level of fine tuned
control and hardness that a server would require.

I could see how one could start with firestarter,
then later migrate to a more advanced utility
such as firehol.

cheers,

Joel

> Best regards,
--
Joel Roth


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120715004544.GA31771@sprite