Linux Mint Forums

[RavenLX]

I noticed that by default the firewall is turned off (KDE Version). I had enabled it but then found that my All In One Printer (which operates via WiFi) would print but not scan. If I leave it disabled (default) then image scanning works as well.

I have read that there is a built-in firewall that is turned on by default in Linux, and that the GUI is basically just an IP Tables configuration interface, and that it's use isn't necessary for good security. Am I right in assuming this is correct?

Also I'm behind a router, with as much security enabled on it as possible.

What would I need this GUI firewall settings for?

[cwsnyder]

I noticed that by default the firewall is turned off (KDE Version). I had enabled it but then found that my All In One Printer (which operates via WiFi) would print but not scan. If I leave it disabled (default) then image scanning works as well.

I have read that there is a built-in firewall that is turned on by default in Linux, and that the GUI is basically just an IP Tables configuration interface, and that it's use isn't necessary for good security. Am I right in assuming this is correct?

Incorrect. A firewall is not a hardware device, it is a filter based in software. If it is not enabled, it does not work.

Also I'm behind a router, with as much security enabled on it as possible.

What would I need this GUI firewall settings for?

A firewall on your computer would be there to protect from someone who managed to 'pwn' your router or from others who manage to hack into your WiFi connection, thus getting on your 'local' network.

[altair4]

I have read that there is a built-in firewall that is turned on by default in Linux, and that the GUI is basically just an IP Tables configuration interface, and that it's use isn't necessary for good security. Am I right in assuming this is correct?

Ip Tables is always running and it blocks all incoming probes - unless you install something that listens in on certain ports. That's the confusing part. Ufw is a command line tool that adds or modifies the rules that ip tables uses and Gufw if a graphical front end to ufw. Whether or not ufw / gufw is necessary for "good security" depends on what kind and how you are using your computer.

If you have a desktop computer behind a router then the outside world doesn't know you exist. All it sees is the router. All communication that takes place between you and the outside world goes through the router's NAT layer that hides your internal ( LAN side ) ip address. That doesn't prevent you of course from using ufw to block everything anyway but then you have a dilemma.

Let's take Samba as an example - and this would make more sense if you were using Ubuntu since it doesn't install Samba by default. Before samba is installed the ports it uses are effectively closed. Install Samba and the ports are open. Use ufw to close all ports and you just shut down Samba. So what do you have to do? Open the samba ports up again. You're in a logical loop.

Have a laptop and things change a bit. When the laptop is home behind your router things are fine but when it's out and about you might be vulnerable depending on what you installed on it. One thing you can do is set up a bunch of rules to secure yourself outside of home and then enable ufw to implement those rules ( sudo ufw enable ). When you are home disable it ( sudo ufw disable ).

[RavenLX]

Thank you both for your input. I understand now how it would all fit together. I use a laptop but I don't use it to hook up to anything outside of my own router, which is set up to deny access to any device except those that are registered in the MAC filter table (ie. my two laptops and two tablets). There is always that slight risk of cloning/faking MACs with any router, yes. But the router is a consumer one which doesn't transmit too far and is only powered on if I'm using the internet anyway. If I go out somewhere (and I never bring my laptops out anyway as I don't have any need to) or if I go to bed at night I power everything off.

I still would like to learn more about the Gufw/ufw just for the sake of learning it. I vaguely remember setting up IP Tables in Linux a long long time back but forgot a lot of it. It really made me invisible to things like online scans tests from Shields Up by Gibson Research. I just did a scan from there just now of all ports and it's all showing green (stealth) so it looks good from here (which I guess also adds to the security somewhat).

But as for this particular question I had, I consider this solved. Both posts gave me enough information for my particular setup.

[sammiev]

Here is a really good read. http://ubuntuforums.org/showthread.php?t=1876124

[altair4]

I still would like to learn more about the Gufw/ufw just for the sake of learning it. I vaguely remember setting up IP Tables in Linux a long long time back but forgot a lot of it. It really made me invisible to things like online scans tests from Shields Up by Gibson Research. I just did a scan from there just now of all ports and it's all showing green (stealth) so it looks good from here (which I guess also adds to the security somewhat).

I'm not sure Shields Up is a good indication of anything in the context of the rest of your last post. When you run it you will notice that the ip address it's probing is the public ip address of the router not the private ip address of machine you are running behind the router. You would have to connect directly to your ISP bypassing the router to see how secure you were if you connecting directly to the internet.

BTW, he does have a very coherent explanation of how all NAT routers are inherently firewalls:

Secondly, NAT very effectively HIDES all of your machines from the prying eyes of the Internet! Anyone scanning across your IP address will ONLY be able to "see" the NAT router! (Which is generally much more secure than the average PC.) So, they won't actually be touching any of your machines located BEHIND the router! Moreover, none of the software running inside your PC can "give out" your network's public IP address because it is completely unknown to your machines! Only the NAT router knows the public IP of your network, your machines only know their private "behind the router" IP's. So Internet client programs, like your web browser which send out the machine's IP address with every request, will be completely fooled and foiled when they're running behind a NAT router.

[RavenLX]

Good idea on plugging the laptop directly into the WiFi modem and doing a scan. I have a WiFi ISP, not cable or DSL and they supply the modem but not the router and the modem as far as I know does not include a router built-in or anything like that. I might take a chance and try it sometime, after doing some backups and making sure nothing important is on the computer, just in case. It will only take a few moments to do anyway.