iptables not popular?

fukawi2 · 2009-02-23 01:48:28

Looking at the statistics gathered from pkgstats: http://www.archlinux.de/?page=PackageStatistics

I notice that only around 48% of submitted machines have iptables installed. It's probably safe to say that slightly less than this percentage is actually using iptables.

What's the go with that?! One of the big reasons we use Linux is because it's a lot safer than other OS'es generally speaking, but firewall's are always a good idea. Is there an alternative to iptables that people are using instead? Do we rely on TCP wrappers instead?

It's was a little shocking to see that number, since if it is representative of the Arch user base in general, it indicates that more than half of Arch machines, which are presumably internet connected, are not using a firewall?

speng · 2009-02-23 01:50:28

I just use my routers built-in firewall, I suspect there are a lot of other people that do the same thing as me.
I've considered switching to IPTables but that would mean having to setup several firewalls for each PC.

Hrod beraht · 2009-02-23 01:54:47

fukawi2 wrote:

Is there an alternative to iptables that people are using instead?

A hardware firewall

DonVla · 2009-02-23 02:22:32

fukawi2 wrote:

What's the go with that?! One of the big reasons we use Linux is because it's a lot safer than other OS'es generally speaking, but firewall's are always a good idea. Is there an alternative to iptables that people are using instead? Do we rely on TCP wrappers instead?
It's was a little shocking to see that number, since if it is representative of the Arch user base in general, it indicates that more than half of Arch machines, which are presumably internet connected, are not using a firewall?

why shocking?
there is actually no need for a firewall, if one does not have any sensitive services running.
so disabling not needed services is secure enough for the common user.

Xyne · 2009-02-23 02:33:23

Keep in mind that there might be a negative correlation between the use of iptables and the inclination to share system data.

skottish · 2009-02-23 02:50:48

Xyne wrote:

Keep in mind that there might be a negative correlation between the use of iptables and the inclination to share system data.

That was so much fun to read. A+

buttons · 2009-02-23 03:08:40

DonVla wrote:

there is actually no need for a firewall, if one does not have any sensitive services running.
so disabling not needed services is secure enough for the common user.

This.

All a firewall does is lockdown ports YOU should've closed yourself.

Install lsof and check:

sudo lsof -i |grep LISTEN

The only open ports are those I would've left open on a firewall, anyway. I.e., ssh and the like. I run denyhosts to cover that as well.

You also forget that iptables can be used for other things, of course...I'd wager many of those people aren't using it as a firewall, but rather for port forwarding, etc.

Ranguvar · 2009-02-23 03:22:26

Yeah. I have a Linux hardware firewall, but that's more for the Windoze PCs in the house than for me.

In fact, the only real security-related things I run on my Linux OS are encryption and MoBlock.

fukawi2 · 2009-02-23 04:46:54

Interesting replies... Thanks everyone.

I have a *managed* firewall / intrustion detectiong system at home and still run iptables on all my servers / desktops. If one my my servers is compromized, I want to limit the damage they can do to my desktop for example. Maybe working at a security company has made me a security nut more than I thought...?

Alphalutra1 · 2009-02-23 04:55:13

Well as a proponent of firewalls, here are some things to consider.

A firewall is a piece of code meant to face outside and be attacked. It is meant to handle all sorts of attacks and such, and has been audited to be able to handle this. Therefore, in order to prevent any future bugs in handling of packets by the kernel which could result in a DoS, the firewall (netfilter) which is the code more meant to be exposed could be run.

However, the syntax of iptables and such is definitely a bit more difficult, than say OpenBSD's pf. This can be mitigated by GUI frontends.

So I'm definitely a proponent of it, however, many users probably don't install it because they don't have listening services, don't really consider the slight security edge gained from having a firewall, don't want to master the complexity, or simply are trying to avoid any overhead possible.

Cheers,

Alphalutra1

Zibi1981 · 2009-02-23 06:40:40

There are two main reasons why I don't use iptables at the moment:
1) I'm behind a firewall on my housing estate network
2) It's very complicated to configure and tune-up for a layman like me, and the GUI frontends I've tried so far were either as complicated to use (i.e. FirewallBuilder) or gave me some trouble with some services (i.e. Guarddog)
Nevertheless I'll have to do it eventually as my PC is a laptop and it moves through different, sometimes not secured, networks.

sand_man · 2009-02-23 08:56:17

Hardware firewall here.

jordi · 2009-02-23 09:21:36

hardware firewall

besides that, my notebooks don't listen on any ports. So I don't see a reason to have iptables

Last edited by jordi (2009-02-23 18:23:49)

dyscoria · 2009-02-23 10:07:27

Wow, i think i'm a bit paranoid... one of the first things I checked for when a friend told me about linux was a decent firewall, even though I don't use any significant services such as ssh. Before Linux, I didn't spend a minute on XP without Zonealarm pro, and i haven't spent a minute on Linux without an iptables ruleset running.

Oh and I have an inconveniently long password of random letters/numbers for my user, and an even longer password for root and i'm not even a sysadmin... why am I so paranoid??

Last edited by dyscoria (2009-02-23 10:08:32)

klixon · 2009-02-23 11:32:51

dyscoria wrote:

why am I so paranoid??

You used to use windows and are [moderatly?] technically compotent.

Arkane · 2009-02-23 12:35:21

I used to use Windows too but felt that reinstalling every 3 months was less of a hassle --'.

.:B:. · 2009-02-23 13:48:32

My router runs teh Linux, so what one would call a hardware firewall I guess?

Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up my server with one (even if it runs behind the router and has SSH on a different port and with keys-only access).

initbox · 2009-02-23 13:59:48

B wrote:

...Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up...

I've been thinking about it too.

But the thing is, I don't run any external services and if you use some sort of firewall it quickly becomes a major hassle. You'd have to manually open or close ports when you need to get something to work etc. Not worth the trouble as far as I'm concerned.

But, we'll see.

I have it installed on my system, I just don't use it. But it might come in handy.

Last edited by initbox (2009-02-23 14:00:16)

sand_man · 2009-02-23 21:34:42

B wrote:

My router runs teh Linux, so what one would call a hardware firewall I guess?
Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up my server with one (even if it runs behind the router and has SSH on a different port and with keys-only access).

Yep my router runs busybox but it's not much fun to tinker with

thisllub · 2009-02-23 21:43:56

sand_man wrote:

Hardware firewall here.

And here.

.:B:. · 2009-02-24 00:08:09

sand_man wrote:

B wrote:
My router runs teh Linux, so what one would call a hardware firewall I guess?
Anyway, my Linux installations do not have a firewall, although I have been thinking for a while about setting up my server with one (even if it runs behind the router and has SSH on a different port and with keys-only access).
Yep my router runs busybox but it's not much fun to tinker with

That depends I guess . OpenWRT can be a lot of fun .

* B is eagerly awaiting the WRT600N port of Kamikaze so he can get one and switch to N wireless and Gigabit LAN

deltaecho · 2009-02-24 00:49:46

Ranguvar wrote:

Yeah. I have a Linux hardware firewall, but that's more for the Windoze PCs in the house than for me.
In fact, the only real security-related things I run on my Linux OS are encryption and MoBlock.

I've never heard of MoBlock, what exactly are the security benefits of using it? Their website states,

"MoBlock is a linux console application that blocks connections from/to hosts listed in a file in peerguardian format (guarding.p2p and p2p.p2b) or ipfilter.dat files. It uses iptables libnetfilter_queue userspace library and NFQUEUE kernel module."

...but they haven't had a release since 03/22/2006 -- is it still wise to use the application?

Ranguvar · 2009-02-24 01:16:11

Actually, the last release was about one year ago. 0.8, which was March 2006, is indeed the most recent stable version, but 0.9-rc2 is run by most everyone now as it has important fixes, especially for compatibility with recent Linux kernels.

The actual app MoBlock does not need much updating, because it's a glorified front-end The real work is done by the people (Bluetack, in this case) providing the block lists. To explain, I use MoBlock to block IPs known or suspected to be owned by the large media corporations, etc. Let's just say I wouldn't want them in my BitTorrent swarm (I won't get into the morality of this - that's a separate thing) It's to Linux what PeerGuardian is to Windows.

Sound paranoid? Maybe... but try it, and watch as the list of blocked IPs (and the names of the suspected owners) piles up. Speed isn't affected usually, and every little bit helps.

Misfit138 · 2009-02-24 02:18:04

Behind a cheap D-Link router whose firewall works superbly.

jacko · 2009-02-24 03:24:03

hardware firewall. iptables was more trouble then it was worth.

Arch Linux

#1 2009-02-23 01:48:28

iptables not popular?

#2 2009-02-23 01:50:28

Re: iptables not popular?

#3 2009-02-23 01:54:47

Re: iptables not popular?

#4 2009-02-23 02:22:32

Re: iptables not popular?

#5 2009-02-23 02:33:23

Re: iptables not popular?

#6 2009-02-23 02:50:48

Re: iptables not popular?

#7 2009-02-23 03:08:40

Re: iptables not popular?

#8 2009-02-23 03:22:26

Re: iptables not popular?

#9 2009-02-23 04:46:54

Re: iptables not popular?

#10 2009-02-23 04:55:13

Re: iptables not popular?

#11 2009-02-23 06:40:40

Re: iptables not popular?

#12 2009-02-23 08:56:17

Re: iptables not popular?

#13 2009-02-23 09:21:36

Re: iptables not popular?

#14 2009-02-23 10:07:27

Re: iptables not popular?

#15 2009-02-23 11:32:51

Re: iptables not popular?

#16 2009-02-23 12:35:21

Re: iptables not popular?

#17 2009-02-23 13:48:32

Re: iptables not popular?

#18 2009-02-23 13:59:48

Re: iptables not popular?

#19 2009-02-23 21:34:42

Re: iptables not popular?

#20 2009-02-23 21:43:56

Re: iptables not popular?

#21 2009-02-24 00:08:09

Re: iptables not popular?

#22 2009-02-24 00:49:46

Re: iptables not popular?

#23 2009-02-24 01:16:11

Re: iptables not popular?

#24 2009-02-24 02:18:04

Re: iptables not popular?

#25 2009-02-24 03:24:03

Re: iptables not popular?

Board footer