firewall?

[toomuchcoffee]

What do you use, what do you recommend and what not...

[craigevil]

the shiny GUIs including gufw and firestarter just modify iptables.

I use ufw set to default deny. Allows all outgoing, denies all incoming connections. No need to tweak anything.

For the uber paranoid I would recommend moblock/peerguardian.

[Brian49]

I gave up using software firewalls some time ago. I rely entirely on my router's built-in firewall, which has never let me down. It's a good old Netgear DG834Gv4.

[rhodry]

On servers I set up iptables manually for specific tasks performed - desktops, ufw default deny works for me, testing boxes I don't bother.

rhodry.

[munin]

If I have not misunderstood the info here, I should be reasonably secure with these Guwf settings: Status On. Incoming: Deny. Outgoing: Allow. No rules.
I dont use servers or any form of network, so I hope this is good enough.

[craigevil]

# ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing)
New profiles: skip

no problems here. The only networking service I have running is dhclient.

Code: Select all

# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:49153         0.0.0.0:*               LISTEN      19881/firefox   
tcp        0      0 127.0.0.1:46755         0.0.0.0:*               LISTEN      19881/firefox   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           816/dhclient    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           6560/dhclient   
udp        0      0 0.0.0.0:6954            0.0.0.0:*                           6560/dhclient   
udp        0      0 0.0.0.0:7088            0.0.0.0:*                           816/dhclient    
udp6       0      0 :::46236                :::*                                6560/dhclient   
udp6       0      0 :::21003                :::*                                816/dhclient    

[rhodry]

I gave up using software firewalls some time ago. I rely entirely on my router's built-in firewall, which has never let me down. It's a good old Netgear DG834Gv4.

I didn't bother looking up the specific model, but, there are going to be some surprised folk around once ipv6 permeates the net more thoroughly. Ipv6 does not recognise NAT (built in firewall used by most routers) - hence millions of unprotected machines on the net with a false sense of security!! Malware kiddies are going to have a field day with older hardware running older Windows.

Check your router now!!!!!

cheers,
rhodry.

[mint-me]

i use gufw and block all incoming. i also block the following ports outgoing, as i don't run a server for outside use, and don't share files off my drive to anybody - especially Windows machines:

ports 135-139 [netbios sharing]
port 445 [ms-ds]
port 113 [auth/ident]

just to make sure...

[josefg]

I used to run ZoneAlarm on Windows, but haven't found any similar application-based firewall for linux. So, so far, I'm running nothing... I am just as much interested in having control over what goes out as over what comes in.

[craigevil]

I used to run ZoneAlarm on Windows, but haven't found any similar application-based firewall for linux. So, so far, I'm running nothing... I am just as much interested in having control over what goes out as over what comes in.

Linux-Firewall.org - Your application based personal firewall for Linux - http://linux-firewall.org/ doesn't say when it was last updated.

There was TuxGuardian - An application-based firewall - http://tuxguardian.sourceforge.net/ but it appears to be dead , hasn't been updated since 2006.

Program Guard - http://pgrd.sourceforge.net/ also hasn't been updated in a while

Systrace - Interactive Policy Generation for System Calls - https://www.citi.umich.edu/u/provos/systrace/

There really is not much of a point in having an application based firewall in linux. the problem in windows was all the spyware that called home. We do not have to deal with such things. Especially if you only use the packages in the repos.

Personally I do not see the need to block any outgoing ports.

[eanfrid]

There is the "nufw" infrastructure but it is clearly a lot of overkill for a home PC as it targets corporate networks. Unless you are *really* paranoid you don't need to filter outgoing traffic at the application level. But if you are, you will have to learn (and become pretty skillful with) netfilter, connection tracking, iptables, ebtables and arptables in addition to dealing with nufw. "Firewalls" at the application level don't exist on Linux because they essentially are of no use.

For my own needs I don't use any firewall GUI. I write and maintain my own custom set of iptables/ebtables/arptables rules with home-made scripts.

[nextdistroplease]

UFW

Default: deny (incoming), allow (outgoing)
New profiles: skip

To Action From
-- ------ ----
1:19/tcp DENY OUT Anywhere
1:19/udp DENY OUT Anywhere
22:52/tcp DENY OUT Anywhere
22:52/udp DENY OUT Anywhere
54:79/tcp DENY OUT Anywhere
54:79/udp DENY OUT Anywhere
81:122/tcp DENY OUT Anywhere
81:122/udp DENY OUT Anywhere
124:442/tcp DENY OUT Anywhere
124:442/udp DENY OUT Anywhere
444:65535/tcp DENY OUT Anywhere
444:65535/udp DENY OUT Anywhere
1:19/tcp DENY OUT Anywhere (v6)
1:19/udp DENY OUT Anywhere (v6)
22:52/tcp DENY OUT Anywhere (v6)
22:52/udp DENY OUT Anywhere (v6)
54:79/tcp DENY OUT Anywhere (v6)
54:79/udp DENY OUT Anywhere (v6)
81:122/tcp DENY OUT Anywhere (v6)
81:122/udp DENY OUT Anywhere (v6)
124:442/tcp DENY OUT Anywhere (v6)
124:442/udp DENY OUT Anywhere (v6)
444:65535/tcp DENY OUT Anywhere (v6)
444:65535/udp DENY OUT Anywhere (v6)

[bimsebasse]

4 years on Linux without antivirus software and firewalls - never felt the need, never had an issue.

In Windows I used to run Spybot with tea timer so nothing in the registry was changed without my permission, and avira antivirus with active guard and firewall. Don't miss it one bit.

[nextdistroplease]

In Windows I used to run Spybot with tea timer so nothing in the registry was changed without my permission, and avira antivirus with active guard and firewall. Don't miss it one bit.

Remember WinPatrol?

SuperAntispyware?

I had at least two or three antimalware programs on top of my antivirus.

My spell checker wants to say antimalarial.

I love Linux.

[craigevil]

In Windows I used to run Spybot with tea timer so nothing in the registry was changed without my permission, and avira antivirus with active guard and firewall. Don't miss it one bit.

Remember WinPatrol?

SuperAntispyware?

I had at least two or three antimalware programs on top of my antivirus.

My spell checker wants to say antimalarial.

I love Linux.

I usually installed winpatrol, spyblaster, spybot search and destroy, avg, and/or microsoft security essentials, zonealarm.

It is so nice to not have to worry about all of that crap. I was paranoid for the first year I ran Debian had all kinds of apps like rkhunter, chkrootkit, tripwire, tiger, guarddog, checksecurity, samhain, psad, etc installed. But after they never found anything I finally realized a firewall was all I needed. Most routers have a decent firewall these days so no real need for a software firewall at all.

[MADDSNIPER]

Ive been trying to switch over to Linux from Windows full time and im finding advice from people such as, ""Firewalls" at the application level don't exist on Linux because they essentially are of no use."

and, "There really is not much of a point in having an application based firewall in linux. the problem in windows was all the spyware that called home. We do not have to deal with such things. Especially if you only use the packages in the repos." very interesting.

One of the things I was struggling to find on Linux was a music player that rivaled the likes of winamp. I tried many things, one of the ones i liked the most was clementine which is in most repos and comes installed with alot of linux distros. I used clementine on linux for a while then decided to try it on my windows machine as well. To my horror every mp3 i played through clementine on windows caused it to try to connect to the internet without my aproval. There was no option anywhere to turn this feature off. I was easily able to block this in windows with my application based software firewall but on Linux i didnt even know it was happening. What was being sent out over the internet without my permission? well i found this site to help me with that:

http://thesimplecomputer.info/choosing- ... sic-player

This guy does some nice reviews of linux music players, I'll paste some notes from it:

"Beatbox was built with the Last.fm API but unfortunately no way to turn it off. This means that the player will make a TLS encrypted connection to ws.audioscrobbler.com for every track change. This is also when the lyrics plugins are disabled and a Last.fm account was not being used."

"Wireshark revealed Amarok as the most talkative of all players here. On launch it connects to Last.fm, Mangnatune and Internet Archive but when you play a track, there’s a hemmorhage of web traffic.

Youtube, Myspace, Harvard, Rolling Stone, RIAA (…confused??), Associated Press, WordPress, Wikipedia, MTV, USA Television and Huffington Post are contacted simply by playing a song. And those are just the ones you’d likely recognize; there were many more hostnames which you’d be forgiven for not knowing."

"I did catch some internet activity from Clementine. A few seconds after launching, the player connects to Magnatune and Google. If you don’t use it, Magnatune can be disabled which will stop that connection. The Google call, however, persisted even when all the extras were disabled. Clementine sends a GET request to a 1e100 server wanting my geolocation (by IP address) info and Google responds with the date and time, my city name, latitude & longditude and country. This happens every time Clementine starts and the developers said it’s used by the Songkick API to find concerts in your area for artists you’re listening to."

"Guayadeque has intelligent playlists where it can add tracks from your library to a currently opened playlist based on what’s already in it. Wireshark showed how this works; Guayadeque asks audioscrobbler.com for similar tracks to the playing song and is then served a list. If any artists or albums on the list match what’s in your library, they’re added to the playlist. Guayadeque also has bulk editing ID3 tags which is incredibly useful if you’ve ever assigned tags to hundreds of albums.

Again courtesy of Wireshark, there’s no way to turn off lyric or cover art fetching. You can hide the tabs from view in Guayadeque, but GET requests are still sent out to lyrics.com, lyricsmania.com, images.amazon.com, coveralia.com, loudson.gs, lettras.mus.br, among many, many others. The player tries a lot of different sources for lyrics and cover art before giving up so Guayadeque will spit out a lot of internet traffic if you listen to lesser-known artists."

"each time Juke changed a track, it contacted lyrics.wikia.com. This was despite the lyrics option being unchecked and the pane hidden from view so there’s no way to disable that. Sloppy."

"On track changes, Audioscrobbler, lyrics sites and Google Translate are contacted. Nightingale is set to translate lyric text by default but these connections can be stopped by disabling the relevant services. The inital connections when the program is launched, however, cannot be disabled as easily. You could either use UFW like with Beatbox & Clementine, set Nightingale’s proxy (in Network Settings) to 127.0.0.1 on port 80 or remove ~/.Nightingale and rebuild its profile without metrics reporting."

"It probably goes without saying by now that Tomahawk is not a good choice for people with pay-by-bandwidth internet plans. The only way to keep Tomahawk offline is to either block it in ufw or disable the internet connection."


Now please can someone explain to me why we dont need a good application based firewall on Linux?