firewall?

Chat about anything related to Linux Mint
Locked

Well, I use....

I don't
10
40%
ufw
9
36%
firestarter
2
8%
iptables
3
12%
other...
1
4%
 
Total votes: 25

toomuchcoffee
Level 1
Level 1
Posts: 41
Joined: Wed Apr 18, 2012 8:24 am

firewall?

Post by toomuchcoffee »

What do you use, what do you recommend and what not... :?

Code: Select all

The program 'suck' is currently not installed.  To run 'suck' please ask your administrator to install the package 'suck'
craigevil
Level 5
Level 5
Posts: 553
Joined: Wed Sep 15, 2010 6:10 am
Location: down the rabbit hole
Contact:

Re: firewall?

Post by craigevil »

the shiny GUIs including gufw and firestarter just modify iptables.

I use ufw set to default deny. Allows all outgoing, denies all incoming connections. No need to tweak anything.

For the uber paranoid I would recommend moblock/peerguardian.
Debian Sid KDE4.8.4 Kernel 3.4 Thinkpad R40 CPU Pentium M 1.3MHz RAM 2GB ATI Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Giant Debian sources.list | Debian upgrade script smxi | sysinfo script inxi
Brian49
Level 5
Level 5
Posts: 611
Joined: Thu Oct 29, 2009 2:27 pm

Re: firewall?

Post by Brian49 »

I gave up using software firewalls some time ago. I rely entirely on my router's built-in firewall, which has never let me down. It's a good old Netgear DG834Gv4.
rhodry
Level 4
Level 4
Posts: 343
Joined: Mon Jun 04, 2007 7:32 am

Re: firewall?

Post by rhodry »

On servers I set up iptables manually for specific tasks performed - desktops, ufw default deny works for me, testing boxes I don't bother.

rhodry.
Life isn't about waiting for the storm to pass...
it's about learning to dance in the rain.
User avatar
munin
Level 1
Level 1
Posts: 25
Joined: Sat Apr 21, 2012 6:58 am

Re: firewall?

Post by munin »

If I have not misunderstood the info here, I should be reasonably secure with these Guwf settings: Status On. Incoming: Deny. Outgoing: Allow. No rules.
I dont use servers or any form of network, so I hope this is good enough.
craigevil
Level 5
Level 5
Posts: 553
Joined: Wed Sep 15, 2010 6:10 am
Location: down the rabbit hole
Contact:

Re: firewall?

Post by craigevil »

# ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing)
New profiles: skip

no problems here. The only networking service I have running is dhclient.

Code: Select all

# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:49153         0.0.0.0:*               LISTEN      19881/firefox   
tcp        0      0 127.0.0.1:46755         0.0.0.0:*               LISTEN      19881/firefox   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           816/dhclient    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           6560/dhclient   
udp        0      0 0.0.0.0:6954            0.0.0.0:*                           6560/dhclient   
udp        0      0 0.0.0.0:7088            0.0.0.0:*                           816/dhclient    
udp6       0      0 :::46236                :::*                                6560/dhclient   
udp6       0      0 :::21003                :::*                                816/dhclient    
Debian Sid KDE4.8.4 Kernel 3.4 Thinkpad R40 CPU Pentium M 1.3MHz RAM 2GB ATI Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Giant Debian sources.list | Debian upgrade script smxi | sysinfo script inxi
rhodry
Level 4
Level 4
Posts: 343
Joined: Mon Jun 04, 2007 7:32 am

Re: firewall?

Post by rhodry »

Brian49 wrote:I gave up using software firewalls some time ago. I rely entirely on my router's built-in firewall, which has never let me down. It's a good old Netgear DG834Gv4.
I didn't bother looking up the specific model, but, there are going to be some surprised folk around once ipv6 permeates the net more thoroughly. Ipv6 does not recognise NAT (built in firewall used by most routers) - hence millions of unprotected machines on the net with a false sense of security!! :cry: Malware kiddies are going to have a field day with older hardware running older Windows.

Check your router now!!!!!

cheers,
rhodry.
Life isn't about waiting for the storm to pass...
it's about learning to dance in the rain.
User avatar
mint-me
Level 3
Level 3
Posts: 146
Joined: Sat May 26, 2012 2:25 am
Location: Australia

Re: firewall?

Post by mint-me »

i use gufw and block all incoming. i also block the following ports outgoing, as i don't run a server for outside use, and don't share files off my drive to anybody - especially Windows machines:

ports 135-139 [netbios sharing]
port 445 [ms-ds]
port 113 [auth/ident]

just to make sure...
Linux Mint 20 XFCE 64bit - HP Notebook 15 BS143TU Intel® Core™ i5-8250U, 8GB DDR4 2400Mhz, Intel® UHD Graphics 620, 1366x768 15.6", 1 TB SATA
josefg
Level 2
Level 2
Posts: 90
Joined: Sun Jun 12, 2011 7:07 pm

Re: firewall?

Post by josefg »

I used to run ZoneAlarm on Windows, but haven't found any similar application-based firewall for linux. So, so far, I'm running nothing... I am just as much interested in having control over what goes out as over what comes in.
craigevil
Level 5
Level 5
Posts: 553
Joined: Wed Sep 15, 2010 6:10 am
Location: down the rabbit hole
Contact:

Re: firewall?

Post by craigevil »

josefg wrote:I used to run ZoneAlarm on Windows, but haven't found any similar application-based firewall for linux. So, so far, I'm running nothing... I am just as much interested in having control over what goes out as over what comes in.

Linux-Firewall.org - Your application based personal firewall for Linux - http://linux-firewall.org/ doesn't say when it was last updated.

There was TuxGuardian - An application-based firewall - http://tuxguardian.sourceforge.net/ but it appears to be dead , hasn't been updated since 2006.

Program Guard - http://pgrd.sourceforge.net/ also hasn't been updated in a while

Systrace - Interactive Policy Generation for System Calls - https://www.citi.umich.edu/u/provos/systrace/

There really is not much of a point in having an application based firewall in linux. the problem in windows was all the spyware that called home. We do not have to deal with such things. Especially if you only use the packages in the repos.

Personally I do not see the need to block any outgoing ports.
Debian Sid KDE4.8.4 Kernel 3.4 Thinkpad R40 CPU Pentium M 1.3MHz RAM 2GB ATI Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Giant Debian sources.list | Debian upgrade script smxi | sysinfo script inxi
User avatar
eanfrid
Level 7
Level 7
Posts: 1855
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: firewall?

Post by eanfrid »

There is the "nufw" infrastructure but it is clearly a lot of overkill for a home PC as it targets corporate networks. Unless you are *really* paranoid you don't need to filter outgoing traffic at the application level. But if you are, you will have to learn (and become pretty skillful with) netfilter, connection tracking, iptables, ebtables and arptables in addition to dealing with nufw. "Firewalls" at the application level don't exist on Linux because they essentially are of no use.

For my own needs I don't use any firewall GUI. I write and maintain my own custom set of iptables/ebtables/arptables rules with home-made scripts.
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
User avatar
nextdistroplease
Level 1
Level 1
Posts: 37
Joined: Sat Jun 30, 2012 11:18 pm
Location: Lake Elsinore, CA

Re: firewall?

Post by nextdistroplease »

UFW

Default: deny (incoming), allow (outgoing)
New profiles: skip

To Action From
-- ------ ----
1:19/tcp DENY OUT Anywhere
1:19/udp DENY OUT Anywhere
22:52/tcp DENY OUT Anywhere
22:52/udp DENY OUT Anywhere
54:79/tcp DENY OUT Anywhere
54:79/udp DENY OUT Anywhere
81:122/tcp DENY OUT Anywhere
81:122/udp DENY OUT Anywhere
124:442/tcp DENY OUT Anywhere
124:442/udp DENY OUT Anywhere
444:65535/tcp DENY OUT Anywhere
444:65535/udp DENY OUT Anywhere
1:19/tcp DENY OUT Anywhere (v6)
1:19/udp DENY OUT Anywhere (v6)
22:52/tcp DENY OUT Anywhere (v6)
22:52/udp DENY OUT Anywhere (v6)
54:79/tcp DENY OUT Anywhere (v6)
54:79/udp DENY OUT Anywhere (v6)
81:122/tcp DENY OUT Anywhere (v6)
81:122/udp DENY OUT Anywhere (v6)
124:442/tcp DENY OUT Anywhere (v6)
124:442/udp DENY OUT Anywhere (v6)
444:65535/tcp DENY OUT Anywhere (v6)
444:65535/udp DENY OUT Anywhere (v6)
User avatar
bimsebasse
Level 7
Level 7
Posts: 1690
Joined: Fri Nov 11, 2011 10:21 am
Location: Scandinavia

Re: firewall?

Post by bimsebasse »

4 years on Linux without antivirus software and firewalls - never felt the need, never had an issue.

In Windows I used to run Spybot with tea timer so nothing in the registry was changed without my permission, and avira antivirus with active guard and firewall. Don't miss it one bit.
Thank you for this thread. That’s all I can say. You most definitely have made this forum into something special. You clearly know what you are doing, you’ve covered so many bases. Thanks!
User avatar
nextdistroplease
Level 1
Level 1
Posts: 37
Joined: Sat Jun 30, 2012 11:18 pm
Location: Lake Elsinore, CA

Re: firewall?

Post by nextdistroplease »

bimsebasse wrote:In Windows I used to run Spybot with tea timer so nothing in the registry was changed without my permission, and avira antivirus with active guard and firewall. Don't miss it one bit.
Remember WinPatrol?

SuperAntispyware?

I had at least two or three antimalware programs on top of my antivirus.

My spell checker wants to say antimalarial.

I love Linux.
craigevil
Level 5
Level 5
Posts: 553
Joined: Wed Sep 15, 2010 6:10 am
Location: down the rabbit hole
Contact:

Re: firewall?

Post by craigevil »

nextdistroplease wrote:
bimsebasse wrote:In Windows I used to run Spybot with tea timer so nothing in the registry was changed without my permission, and avira antivirus with active guard and firewall. Don't miss it one bit.
Remember WinPatrol?

SuperAntispyware?

I had at least two or three antimalware programs on top of my antivirus.

My spell checker wants to say antimalarial.

I love Linux.
I usually installed winpatrol, spyblaster, spybot search and destroy, avg, and/or microsoft security essentials, zonealarm.

It is so nice to not have to worry about all of that crap. I was paranoid for the first year I ran Debian had all kinds of apps like rkhunter, chkrootkit, tripwire, tiger, guarddog, checksecurity, samhain, psad, etc installed. But after they never found anything I finally realized a firewall was all I needed. Most routers have a decent firewall these days so no real need for a software firewall at all.
Debian Sid KDE4.8.4 Kernel 3.4 Thinkpad R40 CPU Pentium M 1.3MHz RAM 2GB ATI Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Giant Debian sources.list | Debian upgrade script smxi | sysinfo script inxi
MADDSNIPER
Level 1
Level 1
Posts: 12
Joined: Sat Dec 29, 2012 7:11 am

Re: firewall?

Post by MADDSNIPER »

Ive been trying to switch over to Linux from Windows full time and im finding advice from people such as, ""Firewalls" at the application level don't exist on Linux because they essentially are of no use."

and, "There really is not much of a point in having an application based firewall in linux. the problem in windows was all the spyware that called home. We do not have to deal with such things. Especially if you only use the packages in the repos." very interesting.

One of the things I was struggling to find on Linux was a music player that rivaled the likes of winamp. I tried many things, one of the ones i liked the most was clementine which is in most repos and comes installed with alot of linux distros. I used clementine on linux for a while then decided to try it on my windows machine as well. To my horror every mp3 i played through clementine on windows caused it to try to connect to the internet without my aproval. There was no option anywhere to turn this feature off. I was easily able to block this in windows with my application based software firewall but on Linux i didnt even know it was happening. What was being sent out over the internet without my permission? well i found this site to help me with that:

http://thesimplecomputer.info/choosing- ... sic-player

This guy does some nice reviews of linux music players, I'll paste some notes from it:

"Beatbox was built with the Last.fm API but unfortunately no way to turn it off. This means that the player will make a TLS encrypted connection to ws.audioscrobbler.com for every track change. This is also when the lyrics plugins are disabled and a Last.fm account was not being used."

"Wireshark revealed Amarok as the most talkative of all players here. On launch it connects to Last.fm, Mangnatune and Internet Archive but when you play a track, there’s a hemmorhage of web traffic.

Youtube, Myspace, Harvard, Rolling Stone, RIAA (…confused??), Associated Press, WordPress, Wikipedia, MTV, USA Television and Huffington Post are contacted simply by playing a song. And those are just the ones you’d likely recognize; there were many more hostnames which you’d be forgiven for not knowing."

"I did catch some internet activity from Clementine. A few seconds after launching, the player connects to Magnatune and Google. If you don’t use it, Magnatune can be disabled which will stop that connection. The Google call, however, persisted even when all the extras were disabled. Clementine sends a GET request to a 1e100 server wanting my geolocation (by IP address) info and Google responds with the date and time, my city name, latitude & longditude and country. This happens every time Clementine starts and the developers said it’s used by the Songkick API to find concerts in your area for artists you’re listening to."

"Guayadeque has intelligent playlists where it can add tracks from your library to a currently opened playlist based on what’s already in it. Wireshark showed how this works; Guayadeque asks audioscrobbler.com for similar tracks to the playing song and is then served a list. If any artists or albums on the list match what’s in your library, they’re added to the playlist. Guayadeque also has bulk editing ID3 tags which is incredibly useful if you’ve ever assigned tags to hundreds of albums.

Again courtesy of Wireshark, there’s no way to turn off lyric or cover art fetching. You can hide the tabs from view in Guayadeque, but GET requests are still sent out to lyrics.com, lyricsmania.com, images.amazon.com, coveralia.com, loudson.gs, lettras.mus.br, among many, many others. The player tries a lot of different sources for lyrics and cover art before giving up so Guayadeque will spit out a lot of internet traffic if you listen to lesser-known artists."

"each time Juke changed a track, it contacted lyrics.wikia.com. This was despite the lyrics option being unchecked and the pane hidden from view so there’s no way to disable that. Sloppy."

"On track changes, Audioscrobbler, lyrics sites and Google Translate are contacted. Nightingale is set to translate lyric text by default but these connections can be stopped by disabling the relevant services. The inital connections when the program is launched, however, cannot be disabled as easily. You could either use UFW like with Beatbox & Clementine, set Nightingale’s proxy (in Network Settings) to 127.0.0.1 on port 80 or remove ~/.Nightingale and rebuild its profile without metrics reporting."

"It probably goes without saying by now that Tomahawk is not a good choice for people with pay-by-bandwidth internet plans. The only way to keep Tomahawk offline is to either block it in ufw or disable the internet connection."


Now please can someone explain to me why we dont need a good application based firewall on Linux?
Locked

Return to “Chat about Linux Mint”