Linux Mint Forums

Hey guys,

Just saw the news about 13.10 update, and decided to enable gufw.
I searched for some tips and tweaks for this firewall, however i didn't find anything usefull.
I created 2 profiles. 1 for home and another for public.
I want to make sure when i go to public wifi, i'm not victim of man in the middle attacks, or some sort of sniffing. does GUFW helps me on that? or should i create some solid rules to protect me.
Also, no tray icon? It would be nice accessing it from the tray

Configure the firewall to deny incomming ports. Then, if you want outsiders to be able to make connections to an SSH port, Apache server, sharred folder, etc. on your machine open just the ports you need for your services. Most folks don't expose services on ports to network machines, particularly on public networks. So your public profile could be setup to deny all incomming ports.

On the outgoing side, you need port 80, 443, and a few others open or you won't be able to communicate with the the LAN/WAN at all. A middle man hyjacks any outside communication, not by controlling what leaves you computer over over your HTTP(S) ports, but rather, by spoofing your network into thinking the bad guy's machine is a legitimate hop. One way is to convince your machine that his machine is the network router.

So, when you are on a public network, your allowed outgoing ports in your firewall are not your major vulnerability. Being dilligent about not accepting certificate warnings is. Prefer sites that use https protocol. For example, if you connect to Facebook, configure Facebook to require https.

You can, if you wish, lock down all but the necessary outgoing ports. But from time-to-time you will probably be confronted with network share blocks and other needed/wanted networking features until you discover/open the needed outgoing ports.

Outgoing blocks on machines are mostly used to control user access (eg. you don't want your child's user to be able to connect to a remote desktop somewhere.) They can also be used to disrupt some call-home maleware.

One approach that I use on occasional networks, is to deny all in/out ports and, as I go, and selectively open the ones needed. There will be a subsequent post that will say this is totaly unnecessary and paranoid for the average Mint Linux home user... true.

NASA gets hacked and malicious activity does occurr on Linux machines... primarily those that have open incomming ports with direct exposue to the WAN. If you have state secrets (or personal secrets) on your machine, keep them in an encrypted volume. I use Truecrypt. If you do too, then beware. There is a script kidde package called truecarck that can attack a Truecrypt volume if you use AES and a short password. Remember that in public networks, one compromise that benefits the bad guy most is simply stealing your laptop.

Thanks so much for your tips man. My company just sent me for 1 entire month to another city. i'll be sleeping in hotel with wifi. So, i'm going to prepare my machine.
i don't like the idea of being 1 month connected to such networks.... I can only think the guy next door might be sniffing around.
I'm gonna try your tips, thanks a lot

If you're going to be stuck on unsecured public wifi networks for an extended period, you may want to consider whether its worth it (to you) to get set up with a VPN of some sort like witopia.net, in addition to enabling a basic firewall.