Page 1 of 1

Firestarter

Posted: Sat Dec 16, 2006 12:20 am
by Fragadelic
Clem,

You should look into including Firestarter(firewall setup tool) if you haven't already. This is a must for folks that don't have a separate firewall and frankly I'm surprised Ubuntu doesn't include it to begin with.

Re: Firestarter

Posted: Sat Dec 16, 2006 6:23 pm
by scorp123
Fragadelic wrote:This is a must for folks that don't have a separate firewall and frankly I'm surprised Ubuntu doesn't include it to begin with.
Maybe a wizard wouldn't be bad, e.g. during installation? "Do you need Firewall? (yes / no)" So people not needing it can just click it away and don't need to bother with it. All others say "yes" and voila, firewall is up, even though there is nothing in the default installation that would need any protection, IMO.

Regards,
Scorp123

Posted: Sat Dec 16, 2006 11:44 pm
by Fragadelic
A firewall is a must for any internet connected computer. To think that bsd or linux or mac osx are not susceptible to attack would be very naive and dangerous.

Virus issues and such are not the same as port attacks.

If you just add firestarter to the system, it adds a menu item so you can use it if you want to.

Posted: Sun Dec 17, 2006 7:01 am
by clem
Hi Tony,

I had a look at firestarter and it looks quite good. It's too late to make its way into Bea but I'm noting it down on my list of ideas for Bianca :)

Clem

Posted: Sun Dec 17, 2006 10:21 am
by scorp123
Fragadelic wrote:A firewall is a must for any internet connected computer.
I disagree. If there is no service running (as on a desktop system) there is no point in a firewall. Unless you are using your Linux box as the firewall to protect your LAN, but then you'd use something like SmoothWall or IPcop ... or M0n0Wall. Or the commercial Astaro product, and not Linux Mint or Ubuntu.

Regards,
Scorp123

Posted: Sun Dec 17, 2006 3:42 pm
by Fragadelic
You would be incorrect since even X runs as a service with a network listener port.

This would be for folks that don't have a hardware firewall of some sort.

Not running a firewall of some sort on a directly connected PC on the internet is just asking for trouble regardless of what OS you are running.

If you like, go ahead and directly connect your PC to the internet without a firewall and run a port scan on it. I wouldn't recommend doing this with a production PC though.

Posted: Sun Dec 17, 2006 4:59 pm
by scorp123
Fragadelic wrote:You would be incorrect since even X runs as a service with a network listener port.
I thought that per default port 6000 is closed. You have to enable it, e.g. via the login manager panel (gksu gdmsetup). All present-day distributions do this, e.g. port 6000 is closed and X11 runs with the "tcp nolisten" option. And even if port 6000 were open, it still it can't be exploited that easily.
Fragadelic wrote:This would be for folks that don't have a hardware firewall of some sort.
That's why I suggested that a wizard should ask about this during installation. e.g. SUSE does this too.
Fragadelic wrote:Not running a firewall of some sort on a directly connected PC on the internet is just asking for trouble regardless of what OS you are running.
Sorry, but that's FUD. If there is no service running that would respond to any connection requests, than a firewall is pretty much pointless. Servers which run some sort of network service (e.g. SAMBA, FTP, NFS, etc.) are a different story. But even then you most of the time don't need a full blown Firewall, stuff like having "denyhosts" running in the background or keeping your /etc/hosts.deny and /etc/hosts.allow up-to-date can already help a great deal.

Adding a firewall that closes down everything per default just adds another layer of complexity that might get in one's way. And most Linux desktops simply aren't running any services that would require this level of protection.

Maybe it would again be wise to immitate Mandriva in this regard: Offer an "Advanced" button of some sorts during the installation where experienced users can turn off the firewall if they so wish. The default is to install it, just to be on the safe side.
Fragadelic wrote:If you like, go ahead and directly connect your PC to the internet without a firewall and run a port scan on it. I wouldn't recommend doing this with a production PC though.
I've done precisely that many many many times with my Laptop which runs Linux. And guess what: Besides a few desperate skript kiddies trying to login as "root" via SSH nothing happens. Because I am simply not running anything on my desktop that would need a Firewall.

I think the best thing to suit you and me would be this wizard thing. Unexperienced users get it activated per default as a standard, "Advanced" users can click on a "No" button and get their system without firewall if they so wish.