You are not logged in.
Looking at the statistics gathered from pkgstats: http://www.archlinux.de/?page=PackageStatistics
I notice that only around 48% of submitted machines have iptables installed. It's probably safe to say that slightly less than this percentage is actually using iptables.
What's the go with that?! One of the big reasons we use Linux is because it's a lot safer than other OS'es generally speaking, but firewall's are always a good idea. Is there an alternative to iptables that people are using instead? Do we rely on TCP wrappers instead?
It's was a little shocking to see that number, since if it is representative of the Arch user base in general, it indicates that more than half of Arch machines, which are presumably internet connected, are not using a firewall?
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
I just use my routers built-in firewall, I suspect there are a lot of other people that do the same thing as me.
I've considered switching to IPTables but that would mean having to setup several firewalls for each PC.
Offline
Is there an alternative to iptables that people are using instead?
A hardware firewall
Offline
What's the go with that?! One of the big reasons we use Linux is because it's a lot safer than other OS'es generally speaking, but firewall's are always a good idea. Is there an alternative to iptables that people are using instead? Do we rely on TCP wrappers instead?
It's was a little shocking to see that number, since if it is representative of the Arch user base in general, it indicates that more than half of Arch machines, which are presumably internet connected, are not using a firewall?
why shocking?
there is actually no need for a firewall, if one does not have any sensitive services running.
so disabling not needed services is secure enough for the common user.
Offline
Keep in mind that there might be a negative correlation between the use of iptables and the inclination to share system data.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
Keep in mind that there might be a negative correlation between the use of iptables and the inclination to share system data.
That was so much fun to read. A+
Offline
there is actually no need for a firewall, if one does not have any sensitive services running.
so disabling not needed services is secure enough for the common user.
This.
All a firewall does is lockdown ports YOU should've closed yourself.
Install lsof and check:
sudo lsof -i |grep LISTEN
The only open ports are those I would've left open on a firewall, anyway. I.e., ssh and the like. I run denyhosts to cover that as well.
You also forget that iptables can be used for other things, of course...I'd wager many of those people aren't using it as a firewall, but rather for port forwarding, etc.
Cthulhu For President!
Offline
Yeah. I have a Linux hardware firewall, but that's more for the Windoze PCs in the house than for me.
In fact, the only real security-related things I run on my Linux OS are encryption and MoBlock.
Offline
Interesting replies... Thanks everyone.
I have a *managed* firewall / intrustion detectiong system at home and still run iptables on all my servers / desktops. If one my my servers is compromized, I want to limit the damage they can do to my desktop for example. Maybe working at a security company has made me a security nut more than I thought...?
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Well as a proponent of firewalls, here are some things to consider.
A firewall is a piece of code meant to face outside and be attacked. It is meant to handle all sorts of attacks and such, and has been audited to be able to handle this. Therefore, in order to prevent any future bugs in handling of packets by the kernel which could result in a DoS, the firewall (netfilter) which is the code more meant to be exposed could be run.
However, the syntax of iptables and such is definitely a bit more difficult, than say OpenBSD's pf. This can be mitigated by GUI frontends.
So I'm definitely a proponent of it, however, many users probably don't install it because they don't have listening services, don't really consider the slight security edge gained from having a firewall, don't want to master the complexity, or simply are trying to avoid any overhead possible.
Cheers,
Alphalutra1
Offline
There are two main reasons why I don't use iptables at the moment:
1) I'm behind a firewall on my housing estate network
2) It's very complicated to configure and tune-up for a layman like me, and the GUI frontends I've tried so far were either as complicated to use (i.e. FirewallBuilder) or gave me some trouble with some services (i.e. Guarddog)
Nevertheless I'll have to do it eventually as my PC is a laptop and it moves through different, sometimes not secured, networks.
"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."
MSI Raider GE78HX 13VI-032PL
Offline
Hardware firewall here.
Offline
Wow, i think i'm a bit paranoid... one of the first things I checked for when a friend told me about linux was a decent firewall, even though I don't use any significant services such as ssh. Before Linux, I didn't spend a minute on XP without Zonealarm pro, and i haven't spent a minute on Linux without an iptables ruleset running.
Oh and I have an inconveniently long password of random letters/numbers for my user, and an even longer password for root and i'm not even a sysadmin... why am I so paranoid??
Last edited by dyscoria (2009-02-23 10:08:32)
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline
why am I so paranoid??
You used to use windows and are [moderatly?] technically compotent.
Stand back, intruder, or i'll blast you out of space! I am Klixon and I don't want any dealings with you human lifeforms. I'm a cyborg!
Offline
I used to use Windows too but felt that reinstalling every 3 months was less of a hassle --'.
What does not kill you will hurt a lot.
Offline
My router runs teh Linux, so what one would call a hardware firewall I guess?
Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up my server with one (even if it runs behind the router and has SSH on a different port and with keys-only access).
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
...Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up...
I've been thinking about it too.
But the thing is, I don't run any external services and if you use some sort of firewall it quickly becomes a major hassle. You'd have to manually open or close ports when you need to get something to work etc. Not worth the trouble as far as I'm concerned.
But, we'll see.
I have it installed on my system, I just don't use it. But it might come in handy.
Last edited by initbox (2009-02-23 14:00:16)
Offline
My router runs teh Linux, so what one would call a hardware firewall I guess?
Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up my server with one (even if it runs behind the router and has SSH on a different port and with keys-only access).
Yep my router runs busybox but it's not much fun to tinker with
Offline
Hardware firewall here.
And here.
Offline
B wrote:My router runs teh Linux, so what one would call a hardware firewall I guess?
Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up my server with one (even if it runs behind the router and has SSH on a different port and with keys-only access).
Yep my router runs busybox but it's not much fun to tinker with
That depends I guess . OpenWRT can be a lot of fun .
* B is eagerly awaiting the WRT600N port of Kamikaze so he can get one and switch to N wireless and Gigabit LAN
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
Yeah. I have a Linux hardware firewall, but that's more for the Windoze PCs in the house than for me.
In fact, the only real security-related things I run on my Linux OS are encryption and MoBlock.
I've never heard of MoBlock, what exactly are the security benefits of using it? Their website states,
"MoBlock is a linux console application that blocks connections from/to hosts listed in a file in peerguardian format (guarding.p2p and p2p.p2b) or ipfilter.dat files. It uses iptables libnetfilter_queue userspace library and NFQUEUE kernel module."
...but they haven't had a release since 03/22/2006 -- is it still wise to use the application?
Dylon
Offline
Actually, the last release was about one year ago. 0.8, which was March 2006, is indeed the most recent stable version, but 0.9-rc2 is run by most everyone now as it has important fixes, especially for compatibility with recent Linux kernels.
The actual app MoBlock does not need much updating, because it's a glorified front-end The real work is done by the people (Bluetack, in this case) providing the block lists. To explain, I use MoBlock to block IPs known or suspected to be owned by the large media corporations, etc. Let's just say I wouldn't want them in my BitTorrent swarm (I won't get into the morality of this - that's a separate thing) It's to Linux what PeerGuardian is to Windows.
Sound paranoid? Maybe... but try it, and watch as the list of blocked IPs (and the names of the suspected owners) piles up. Speed isn't affected usually, and every little bit helps.
Offline
Behind a cheap D-Link router whose firewall works superbly.
Offline
hardware firewall. iptables was more trouble then it was worth.
Offline