You are not logged in.
Pages: 1
Hi,
I'm running Arch in my PC at home and I have a cable modem. I do not run any services. So, do I still need a firewall?
Thanks
Offline
No, not really.
Offline
Every building should have at least one firewall. ;-)
Offline
usually routers have their own internal firewalling / port blocking...
if you don't need access to your computer from outside, I'd just make sure your hosts.deny file denies everything... that should be safe enough
you can always run nmap on localhost to check and see if you have any ports opened up which would allow access
Offline
Easier to run netstat -lptu to see which programs are keeping which ports open to the outside world.
Offline
Hi,
Thanks for your answers. I was reading this on ubuntu site:
http://www.ubuntuforums.org/showthread. … t=firewall
So, I thought it was the same with Arch. If I look in my /etc/rc.conf I dont see any deamons listening outside world...
Just wanted to make sure I'm safe!
Thanks
Offline
Just don't enable remote X and you should be fine.
Offline
People! Every computer should be behind a good firewall!
Especially if you have a cable modem.
Here an easy firewall generator from quicktables. run the quicktables script then follow the instuctions in the INSTALL file and reboot:
http://qtables.radom.org/files/quicktables-2.3.tar.gz
you can test how well it works by running grc's firewall test: www.grc.com (sheilds up)
If you need more help setting it up let me know.
Offline
no way - I got nothing up.. hell, port 22 is direct straight at this box.... never had a problem
Offline
no way - I got nothing up.. hell, port 22 is direct straight at this box.... never had a problem
...and you may never have any problems, but without a firewall and a port wide open you're still rolling the dice. This is a judgement call merpheus, just realize without a good firewall IT IS possible for a hacker to track you and do some harm to your system is some way. It may be remote but it is still possible none the less.
Offline
I havnt got a firewall, ive just got a router with no ports forwarded.
Besides, its very unlikely for a cracker, not hacker, cracker to go to the effort to attack you if you dont have a firewall. I ran without a firewall for months without problem - directly connected, not via router.
iphitus
Offline
I havnt got a firewall, ive just got a router with no ports forwarded.
Besides, its very unlikely for a cracker, not hacker, cracker to go to the effort to attack you if you dont have a firewall. I ran without a firewall for months without problem - directly connected, not via router.
iphitus
At least you got the cracker part right.
As for it being very unlikely for someone to NOT go through the effort if you DONT have a firewall?? Backwards logic? It would be much easier to do so. Remember, crackers are not all about fun-n-games, just for the thrill of it, type stuff. It has unfortunately become big business. You can buy and sell "bot nets" for just about any purpose you could think of that would require controll over 1000s of distributed computers all net connected (think DDOS, spam relaying, etc.)
Insidious underbelly of the internet, true, but it does exist. A firewall is not a panacea, but it often is helpful.
ps. If you have one of those little cable-modem/dsl routers, and even some cable/dsl modems, you likely have a built in firewall. Most of those little nat devices also have firewalls. nat in and of itself, is also very helpful...
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Isn't broadcasted ICMP's the very first step how these bots find you initially? I mean any computer that responds to them lets it know something is out there which in turn allows it to progress to the next step? It seems to be a very commonly overlooked security issue on desktop pc's.
BTW I apologize for my backwards slip-up of hackers and crackers.
Offline
My 2 cents:
1.) Many computers are directly connected to the internet, but only a few of them get hacked.
2.) Most botnets are based on Windows, i.e. these bots usually infect computers running Windows and won't affect other operating systems. That alone is a BIG security gain.
3.) Even if botnets were based on other operating systems, you would still be more secure even without a firewall, as GNU/Linux is more secure than Windows.
4.) As long as you don't run "insecure" applications that listen for connection attempts and therefore "open" ports, you will be fairly save even without a firewall. There simply won't be any open ports to hack into your machine.
There may be ways to get a machine down or hacked into even without open ports but these are limited and usually the related kernel code has been made sufficiently secure over time. DOS is still a significant threat but even if your computer is heavily affected by an attack there's no guarantee it will comprimise your system.
5.) NAT, specifically ip masquerading, already is a very good additional protection, as the "NAT router" will only open ports for connections your machine establishes to the internet. All other ports can/will be closed.
6.) Disabling the return of "echo requests" (e.g. ping) in your firewall settings is not considered good netiquette.
7.) Imho, on a single box directly connected to the internet a firewall does not make to much sense, except for preventing DOS attacks. You probably may wan't to keep the ports open for the daemons you are running and all the other ports will be closed anyway, so where's the point? If you don't wan't to keep a specifific port open you can simply disable the daemon or configure them to listen to the loopback interface only.
Cheers,
Dominik
Offline
People, please ignore Penguin on this topic, he doesn't seem to know what he's talking about...
Additions to incinerator's comment (listen to him, he knows his stuff):
1) All people I know who don't know computers that well and are running Windows have been cracked. More likely via a virus than directly through the internet, but can't know for sure.
4) If you don't have any port open it may be even safer to run no firewall, because the firewall code has bugs too, and how more code is used for the incomming packet handling how bigger the chance a remote exploit exist. A firewall won't safe you from a DOS attack, except a pathetic one.
5) NAT is evil and should die, but thanks to its horrible properties (crippling internet, making it harder for hosts to connect to eachother) it adds a certain kind of security...
6) Blocking ping it is not only bad etiquette, it doesn't add any security at all either (take a look at nmap).
7) Running a firewall in such situation is just being lazy, it's easy enough and less work than making sure that all daemons always listen locally only.
Offline
meh. I had a long post, countering many points, agreeing with several..
then I realized it was all a waste of time. People have their own ideas and perceptions about security, and my little post in this forum will likely change none of them....
So, instead, here is my little half-cent opinion:
A firewall is not a panacea. It will not cure all ills. It is simply another tool in the arsenal of computer security. I like to think of a firewall as a bouncer at the door. He might not prevent every form of violence from entering the bar (my computer), but even if he prevents one, it was time well spent. I try not to limit myself as to what tools I use for protection. In the balance between security and usability, I lean towards more secure, and deal with the usability issues that arise.
I heard a quote somewhere once: "The best way to secure a computer is to disconnect it from the net, put it in a bunker, enclose it in a faraday shield, and keep it turned off." There might have been a line in there about burning something too, but I don't recall.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
You're completely right of course, but the question was if he needs a firewall, not if he should use one.
He doesn't need one, but perhaps he should use one, for whatever reason... (feel-good value, getting iptables experience, paranoia reducement) But just using a firewall because it is somehow "secure" in a situation where it doesn't add anything is bad because other, bigger security problems aren't fixed. Go secure your router, that thing can be cracked too.
Offline
I like not having a firewall... in the offchance that someone does hit my ssh port and logon as my ssh user (I have a different user account with a 11 char non-dictionay password for ssh) not to mention the fact that they would have to spoof an ip or something (I only allow 2 distinct ips to connect)... then I will congratulate them and then have a fun time fixing my box...
Offline
Yes, making backups is so much more important than a firewall...
Offline
agreed: all my important files go across samba/nfs (same share) to my local file server.... the rest I can always redo... except for $HOME, but it's not like that stuff's *important*, just convienant... though I do keep my vimrc backed up 8)
Offline
Pages: 1