Why not incorporate a usable firewall into Linux Mint?

[Gee7]

So what do you do with this then, write code for it or what?

Hello

Since i started using a computer, firewalls have always been something of a mystery to me. When I still used Microsoft XP, I used the Microsoft firewall for a short period and then switched to the great and comprehensible ZoneAlarm. Since moving to Linux 2 or 3 years back, I have missed not having a firewall of the same standard as ZoneAlarm. Linux firewalls are not easy to understand or use. Of course, i am not alone in this situation: if you did an anonymous survey (anonymous so that users could admit their shortcomings) of Linux Mint users and asked the following question:

Do understand how to set up the Linux Mint firewall?

the answer would often be No.

Of course, i googled for information about firewalls when i first started with Linux and I got to understand the general principles of what a firewall is, i also learnt quite a lot about ports in the process, what i could not find was instructions on how to set a firewall up. As the Mint firewall comes without any instructions or a help file, a year ago I asked on Mint forums for Mint to consider incorporating a firewall with a proper graphical interface and instructions into Linux Mint, something approaching the standard of ZoneAlarm, and i got an answer on the lines of : we already have a firewall, go to the Control panel, activate Firewall and Enjoy. (How could I enjoy it when there are no basic instructions to even get it started?). The only other file I found on the Linux firewall was by a young man sneering at his mother because she didn't know how to set it up, and it was a distasteful article.

Eventually I installed Firestarter - it comes with instructions which are lacking in detail and it doesn't explain the jargon it uses (it doesn't define its terms), so in parts it's reading without understanding, but at least there is some information with which to start. There are options on Broadcasting there for example, but it doesn't explain what Broadcasting is, the differences between Public and Private, why a computer should broadcast its presence, and what the Broadcasting user should allow and what not. However that may be, for easiness sake I currently use Deny all Inbound, and Deny all Outbound except for ports 80 (HTTP), 123 (NTP) and 443 (HTTPS) and this works fine for me, being a minimalist and having no connection with any Microsoft software or spyware. Samba spends all day trying to get out through ports 137 and 138 but i deny it outbound access, as Samba is a Microsoft application and i have no idea what the intentions of the Microsoft programmers were, or how allowing access would be of any benefit. Other ports I open as and when necessary. Because Firestarter has a proper graphical interface and some instructions, it is possible to set this up. The same cannot be said for the Mint Firewall.

There is a To/Action/From dialog box in the Mint Firewall and an Add - to put in something or other and then to put in something else. There is no file in the Help file to explain these dialog boxes. I have no idea what the jargon means, it's not a challenge, rather an insulting piece of software, with its "Spend a month try to work this out, hahaha." I wonder, Is the "To" dialog for a port number, or for a name like google.com, for a URL like http://www.google. com or for an IP address like 20.270.16.204 or whatever, and if it for an address, how does the user find the addresses ... and if the "action" is for commands relating to "To", what is the syntax to use: i am sure that if i wrote "deny access for this session only" the command would not be understood, and there is no reason that it should. Like all software, it will only understand precise statements that are pre-programmed into it. I guess that Accept and Deny are part of the code command list but what other conditional clauses to make the firewall workable remains a mystery. And if when one is online, there is a connection that looks highly suspicious, how can one break the connection using the firewall? And how can one have the firewall sitting on the desktop, so that the user can always see who is attempting access, in or out, and take appropriate action? And what is appropriate action (what can the firewall do - is it block or accept only, or are there degrees of acceptance?)

So i look at these blank dialog boxes of the firewall and think: So what do you do with this then, write code for it or what?

Puzzling.

It is not self-explanatory.

I hope that sometime in the future, a member of the Mint team expands the graphical user interface of its firewall, and supplies basic instructions of use (with a definition of terms and some examples) so that a non-specialist user can set it up, and use it as a user rather than as root. For many people, security is of primary importance, and it is much more user friendly if a user can flexibly use the firewall supplied with the operating system, rather than spending weeks searching the web for Linux firewalls and trying to find something which can be understood. The instructions on Mint firewall use could also be incorporated into a section on Security in the downloadable PDF file. Such a section could discuss Firewalls, anti-virus, screen locks and passwords. This would be an apt place too to put instructions on how to disable the crazy locking-screen new to Isadora, which is causing a lot of swearing in rural areas and deprived inner-city pockets. You can't go to the loo or go to put the kettle on without the screen locking!

An alternative to the long business of designing a firewall with a graphical user interface, would be for Mint to negotiate with Firestarter about using it in the Mint O/S, with improvements as and when necessary.

So that's my pet gripe, it was asking to be taken for a walk, but generally for Mint 9 (& 7 before it) i sing praises, and find myself recommending it to people without mentioning the firewall inadequacy or other minor gripes - the art work is marvellous and the system feels comfortable and sleek and the efforts of the team are appreciated, thank you for giving us such a high quality experience.

Cheers
gee7

[DrHu]

For a desktop OS, I would tentatively agree;

Except that the nice GUI provided by firewall software supplier may tend to make a user think they are safer than they really are; if they do not understand what they are looking at or why some features of a particular application (firewall) are configured in the manner they are..
--in that way, Linux is better (even if not considered as user friendly enough), to cause the user to investigate/understand and deploy a software firewall of their choice..

The firewall works, the only problem might be that there is no easy to understand GUI, as Zonealarm or others use (Microsoft bitdefender or Norton, MCafee) etc..

I also like zone alarm, and use it in windows OS, it can also run along with bitdefender..

I would also say that with some minor research, an easy understanding of ufw (Ubuntu's firewall) is available to anyone who looks
http://www.ubuntugeek.com/ufw-uncomplic ... hardy.html
--also since most people will be behind a router/ISP service, then they are already protected via the NAT functions enabled there..

For anyone interested, security data is available..
http://www.ubuntugeek.com/list-of-secur ... buntu.html

[Aging Technogeek]

Linux does not use bolt-on firewalls like Windows. What you are calling firewalls in Linux are only GUI frontends for Netfilter and iptables, the built-in Linux firewall. Netfilter is part of the Linux kernel . It cannot be turned off or disabled, but it can be configured to allow the types of access an individual user requires. That is what programs like Firestarter, Pyroman, firehol, fwbuilder, and others do. They are GUI tools for configuring iptables and Netfilter.

Netfilter - http://en.wikipedia.org/wiki/Netfilter

iptables - http://en.wikipedia.org/wiki/Iptables

[Biker]

Ugh! This has been my biggest beef with Firewalls and how companies market them. First of all, the majority of users who install and use a firewall don't understand the nature of the Internet and networking. They see the firewall tag an incoming packet as "suspicious" and the user then gets all bent out of shape claiming they're under attack. Phooey!

First of all, the majority of users don't need to see what the firewall is doing, nor do they need to have a pretty screen telling them anything regarding the packet traffic that's interacting with their computer. I remember when ZoneAlarm was first released, and the panic it would create with users when normal traffic bounced across their connection. It would pop up this dire warning screen with an option to "report" the attack. Pulllllllleeeeeeeeeeeeeeze. I don't know if they've changed any of that, but it's one of the primary reasons I ripped it off my machine within 30 seconds of having it installed.

Are firewalls a good thing? Yes. Are they the cure all for staying "safe". Hell no. If you want "safe", set up a hardware firewall between your computer and modem. Many routers and router/modem combinations have rudimentary firewall functions built into them. This is normally sufficient for the normal user who just uses email and surfs the Internet.

Software companies have made a killing by feeding a ton of misinformation to users and playing off their fears of getting "attacked". I have NEVER seen a normal user get "attacked". Never.

Do users need to know what the firewall is doing? Not really. That's the beauty of iptables in Linux. Set your rules and then forget about it. This works for the majority of users, and that's the way it should be.

[Aging Technogeek]

Did a little research.

From the iptables man page in terminal:

Iptables is used to set up, maintain, and inspect the tables of IPv4
packet filter rules in the Linux kernel. Several different tables may
be defined. Each table contains a number of built-in chains and may
also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each
rule specifies what to do with a packet that matches. This is called a
`target', which may be a jump to a user-defined chain in the same ta‐
ble.

The netfilter.org website says

netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables.

Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.

In simple words, netfilter is the tool the Linux kernel uses to inspect and filter network traffic. Iptables is the terminal based configuration tool for netfilter.
Firestsrter, et al are Gui frontends for iptables.

[Kaye]

What do you mean by "set up" and "configure"? For 99% of users opening the Mint firewall and checking enable is more than enough.

[Gee7]

Thanks for the links, DrHu.
I shall investigate the ubuntu firewall information page that you kindly gave when time allows, though generally it's better for the user if such links or other explanations are given in the Help section of the application itself, in this case Firewall accessed through the Control Panel. What is missing in the Mint firewall at the moment is (a) a GUI with more options and (b) an explanation of how to set up the firewall and use it, so that is why I made the suggestion for a more sophisticated firewall ... personally, I was baffled by the Mint firewall as it is now but then I am still Linux Level 1, and what is "easy to understand" for a user level 10 is not always so clear for someone not so skilled
Anyway, I shall bookmark the links you gave and play catch up later.
regards
gee7

[tlu]

Ubuntu/Mint doesn't have open ports by default. Thus, a firewall is usually not needed. A good reading about this and other security apects is http://www.psychocats.net/ubuntu/security. That said, Ubuntu/MInt includes iptables like any other Linux distro but no rules are enabled by default.

If you still think you need a firewall, for a desktop system the following commands using ufw are sufficient:

sudo ufw enable
sudo ufw default deny

[eiver]

What I am missing with IP tables is the "personal firewall" capabilities. Unless someone can tell me how to allow or disallow connections for a specific program. Many programs connect to the Internet without even asking and without notifying the user. How to prevent that under Linux?

[tlu]

What I am missing with IP tables is the "personal firewall" capabilities. Unless someone can tell me how to allow or disallow connections for a specific program. Many programs connect to the Internet without even asking and without notifying the user. How to prevent that under Linux?

You don't need that under Linux. The official repos don't contain spyware. Linux is not Windows!

[eiver]

What I am missing with IP tables is the "personal firewall" capabilities. Unless someone can tell me how to allow or disallow connections for a specific program. Many programs connect to the Internet without even asking and without notifying the user. How to prevent that under Linux?

You don't need that under Linux. The official repos don't contain spyware. Linux is not Windows!

Can I please be allowed to have a lack of trust in what you are saying and also lack of trust in this enormous code base available in the repos? If all programs in the repos are ok, then why not run all of them as root? Why do I constantly hear recommendations to run open-source programs in a chroot jail for security, if they cannot possibly do any harm anyway.

[rich_roast]

One word: bugs. These aren't programs that are going to join you up to a botnet or log keys. They are programs which, if run as root in X, will cause all sorts of horrible crashes and might bork your install (not that I've ever, once, seen that happen, but I know it has been known to). If an app is untested and/or unstable it is may be worth running in a chroot jail, but Mint has a strong history of high standards in the software it distributes. If you compile programs from source then it is your responsibility to make your own decisions accordingly, of course.

If you're looking for a GUI firewall with logging and application tracking then firestarter's a good one for GNOME. But don't run it alongside ufw, better yet, remove (g)ufw if you wish to go with firestarter.

Personally I've always thought it's a good idea to just enable the default ufw rules (nothing leaves, everything's OK in), and adapt them as need be. You can keep a track on changes to your filesystem with tripwire. This should ensure that nothing gets to run that you don't expect, since tripwire would tell you about it's intrusion onto your system.

I should mention that in just getting over six years of using Linux regularly I have only heard of one potential security compromise on Linux, and that compromise didn't go anywhere because it was horribly badly implemented.

Bear in mind, though, that GUI apps in particular, and userspace apps in general, are not designed with running as root in mind. They're not malicious, they will cause problems if run as root because that's not what they're meant for.

[distrohopper]

Can I please be allowed to have a lack of trust in what you are saying and also lack of trust in this enormous code base available in the repos? If all programs in the repos are ok, then why not run all of them as root? Why do I constantly hear recommendations to run open-source programs in a chroot jail for security, if they cannot possibly do any harm anyway.

I'm sure you've heard about people's windows systems being compromised by third parties (through something like a back door). If you ran something like an instant messenger (in linux as root for example) which somebody found an exploit to, they would have full access to EVERYTHING on your machine as the root user. Think along the lines of 'rm -rf *' in your / directory. Poof your system is gone.

If you are running the same program as an unprivileged user, the attacker will not be able to do nearly as much damage to your system. *maybe* they'd be able to wreck your home directory, however it should be pretty standard practice to keep backups in case of something like a hard drive failure or your own 'root accident'.

As for 'constantly hearing recommendations to run OSS in a jail', what programs do you constantly hear this about? I would think if you had untrusted third parties connecting to your computer over a network, you may (as a preventative measure) have them boot into a jail.

For your own personal use, the software in the repositories is made by every day people like you and I. The Ubuntu security team screens software in the repos. All the source for this stuff is freely available for ANYBODY to audit should you REALLY be that paranoid.

You are allowed to have mistrust, although I'm telling you it's without good cause. I'd be way more scared of the crap I can get on my windows machine connecting to the internet, than what you're going to pick up from installing open source software from trusted repositories.

[74ryanwolf]

Do you people even know that firestarter hasn't been updated for about 5 years (2005) ?!
Are y'all out of your using out-of-date products?

[Fred]

I beg to differ with most of the above posts. iptables/netfilter is a very good firewall. Much more stable, leak proof, and flexible than most Windows bolt-on firewalls. What you are complaining about is various limited GUI configuration utilities. That is a whole other issue entirely.

Quit pretending a GUI configuration utility is a firewall for goodness sakes. It is not.

Fred

[eiver]

Nobody claims that. But a good GUI configuration utility is "iptables" and "man iptables" combined in one application which is easy to learn and to use. A good gui can quickly teach even an unexperienced user how to do the configuration correctly. I think I don't have to explain the benefits of GUI especially on Mint forum - Mint core GUI apps have been one of the main reasons for Linux Mint popularity, so Mint devs understand that all too well.

As for the question in the topic. I believe the answer is: Nobody bothered (had time) to do that yet. I am sure we will see something like that in the future.

[Fred]

eiver,

iptables/netfilter is the firewall. It is part of the kernel ports infrastructure. It will absolutely not be ripped out of the kernel by Mint, Ubuntu, or any other distro maker. You are still talking about a GUI add on. You can design 50 different GUI interfaces with varying capabilities to generate appropriate rule sets for iptables. The GUI is just an interface, nothing else. Certainly not a firewall. That is my point.

Fred

[eiver]

Sure. I completely agree. Its just that you were approaching the problem from the technical point of view (firewall is a kernel module and a gui is just an application interfacing with that module), while I was approaching the problem from the users point of view (casual users should not touch the kernel or kernel modules, in fact they shouldn't be forced to know the inner workings of an OS at all). Write a use-case diagram of the Linux firewall and present a GUI to the users which implements that diagram - that is what the user wants.

I am completely sure that the original author was talking about the user experience with iptables and not about an idea to "rip the firewall out of the kernel", when he used the term "incorporate a usable firewall into Linux Mint".

[rich_roast]

Do you people even know that firestarter hasn't been updated for about 5 years (2005) ?!
Are y'all out of your using out-of-date products?

As the only one who suggested firestarter, you should probably be addressing me and not "you people".

No, I did not know that. I do not have time to follow all 30,000 packages and however many apps that entails and do my work at the same time. I recommended a solution I have used and tested and it works fine. Thank you for appraising me of the maintenance situation. There are nicer ways of doing that.

Cheers.

[altair4]

For the record I don't use a "bolt on " firewall in linux but on my Windows machines I use Sygate Firewall Pro.

Sygate was purchased by Symantec and the product was trashed because it was better than Symantec's offering. The date of my download of the last Sygate product was Oct - 2005. There's just so much you can do with ports and permissions.