You are not logged in.

#1 2004-08-13 06:31:41

neocephas
Member
From: orange, ca
Registered: 2004-02-14
Posts: 30

Do you use a firewall?

I've been using Arch for a while now (6+ months?) and I'm pretty decent now with it IMHO and have done lots of things with it.  One of things I haven't done though is setup a firewall.  I know a lot of you do, but I don't run one.  Not that I don't believe in security or anything, but I just never got around to configuring it... plus, I've never used one before (either on Windows or Gentoo or NetBsd). 

So I am wondering if any of you don't use a firewall and why not?  For those of you that do, do you see a lot of downsides on not running a firewall?  I mean is the danger really that big?  To me, a firewall seems too much of a hassle, at least when using Linux.  But, I am not a big security buff, so I can easily be wrong.

As a side note, I have a wireless router that acts does NAT (only ssh, gift, and http are allowed out), so its a kinda form of firewall when I'm at home and protects the computers in my house.  I'm talking about a software firewall (ie iptables) that runs on my own laptop because at school, I don't have a NAT.

Offline

#2 2004-08-13 07:10:37

IceRAM
Member
From: Bucharest, Romania
Registered: 2004-03-04
Posts: 772
Website

Re: Do you use a firewall?

Why I use a firewall:
1. it does NAT (I don't have a router and I might not even get one because I have only 2 computers)
2. there are several ports opened by some applications (see "netstat -ltup" as root) which I don't really know how to close yet (besides this, its better to keep those ports stealthed and not advertise the "capabilities" of my computer - just in case they allow some sort of security in the configs, but still keep the ports opened)

What I use: gShield (the PKGBUILD I've put somewhere on the forums is more appropriate for the static IP configurations - I will update it as soon as I can)

Offline

#3 2004-08-13 11:51:17

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: Do you use a firewall?

If you're behind NAT then you don't need a firewall, because people can't reach your pc anyway (Except perhaps when you forwarded ports and are paranoia).

Offline

#4 2004-08-13 12:16:17

mcubednyc
Member
From: New York, NY USA
Registered: 2004-03-17
Posts: 120

Re: Do you use a firewall?

I haven't set up a firewall for the same reasons -- I have a router ("wired," in my case) and it seems like a hassle.  Even before I got the router, I never setup a firewall under WinXP, though I did use A/V software.  Now I don't even bother with A/V under WinXP -- the chances of being infected seem fairly slim if you use software more inherently secure than IE/OE.  Anyway, I don't boot into WinXP more than once a week anymore, as a rule.

I guess I'm lax all around.  I guess that would change if or when something bad happens, or if I start doing more with my computer than using it for basic home desktop stuff (running servers or whatever).


"No live organism can continue for long to exist sanely under conditions of absolute reality; even larks and katydids are supposed, by some, to dream." - S. Jackson

Offline

#5 2004-08-13 12:41:42

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: Do you use a firewall?

With Windows I would always run a firewall, to control unwanted outgoing connections...

Offline

#6 2004-08-13 15:07:48

lanrat
Member
From: Poland
Registered: 2003-10-28
Posts: 1,274

Re: Do you use a firewall?

Just don't forget that any packet filter alone (iptables, ipfilter etc.) does not really equal to a firewall. Firewalls can consist of many technologies and machines. For example NAT and proxy can be elements of a firewall too (NAT is often done through a packet filter).
Controlling and logging outgoing connections when you have a large network or you're using windows is a good idea (some people are really surprised when they can see what comes out of their windows ;-)).
The worst danger doesn't come from the internet though. Worst attacs and hacks come from the "man in the middle".
BTW: A good firewall should not only close specific ports. It should have everything closed by default and then opened only the ports you know what they are for. And the firewall job is not only about ports. For example you should block or connections coming from the outside but with ip 192.168.x.x - normally it shouldn't happen but...

Offline

#7 2004-08-13 15:43:22

Dusty
Schwag Merchant
From: Medicine Hat, Alberta, Canada
Registered: 2004-01-18
Posts: 5,986
Website

Re: Do you use a firewall?

Perhaps those of us saying we don't use one are begging for trouble, eh?  I don't use one because I'm on dialup and feel semi secure in the fact that nobody in their right mind would attempt a hack over so slow a connection... it would be so boring and annoying as to be no fun whatsoever. wink

If I had broadband, I would probably set one up just to find out how its done.

Dusty

Offline

#8 2004-08-13 18:43:56

colnago
Member
From: Victoria, BC
Registered: 2004-03-25
Posts: 438

Re: Do you use a firewall?

Here is what i use.  It was on some other post and I modified it for the arch functions so it shows up like the other daemons.  It allows all incomming ssh and does nothing to block any outgoing.  When I check on places like grc it shows everything stealth except port 22 (ssh).  I sometimes run a dns an thus the commented out port 53 line.  If you want to be able to do something like ssh from outside, you need to forward the port on your nat box.  I like it because it is very simple so that even i can add/delete rules w/o having to learn any iptables stuff.  There are much more complex examples around if you are looking to be more secure. 

#!/bin/bash
. /etc/rc.conf
. /etc/rc.d/functions
LAN_NET="192.168.2.100/24"
#LOOPBACK="127.0.0.0/8"
case "$1" in
  start)
    stat_busy "Starting Firewall"
    /usr/sbin/iptables -F
    /usr/sbin/iptables -P OUTPUT ACCEPT
    /usr/sbin/iptables -P FORWARD DROP
    /usr/sbin/iptables -P INPUT DROP
    # Enable loopback
    /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
    /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
    #sshd ok
    /usr/sbin/iptables -A INPUT -s 0/0 -p tcp --destination-port 22 -j ACCEPT
    #bind port
   #/usr/sbin/iptables -A INPUT -s $LAN_NET -p tcp --destination-port 53 -j ACCEPT
    # stateful input
    /usr/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    add_daemon firewall
    stat_done
    ;;
  stop)
    stat_busy "Stopping Firewall"
    rm_daemon firewall
    killall -q /usr/sbin/iptables
    stat_done
    ;;
  restart)
    $0 stop
    sleep 2
    $0 start
    ;;
  *)
    echo "usage: $0 {start|stop|restart}"
esac
#End of file

Offline

#9 2004-08-13 19:48:55

neocephas
Member
From: orange, ca
Registered: 2004-02-14
Posts: 30

Re: Do you use a firewall?

Thanks for you replies.  I am not really concerned about when I'm behind my NAT at home.  The reason I am asking about a firewall is when I'm at school, when I don't have something in between me and the rest of the network.  That said, I guess I'll take the script posted above into consideration.  Thanks.

Also, I do use my NAT at home to forward ssh and http connections to my main tower.

Offline

#10 2004-08-14 08:11:07

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Do you use a firewall?

here is what I use. I am still tweaking it a bit.
Got a good portion of it from a book, and have added some of my own stuff to it..
I am still tweaking blocking on the outgoing, but have to be careful..its a remote box running redhat as3, several 100's of miles away...
wink

#!/bin/bash

############################################
## Script Variables
############################################
IPT="/sbin/iptables"

IP="my_ip_address"

BADIP="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 192.168.0.0/16 192.0.34.0/24 172.16.0.0/12 224.0.0.0/4 240.0.0.0/5 255.255.255.255"

SHUNIP="list of blocked ip's"

LOGOPT="--log-level=3 -m limit --limit 3/minute --limit-burst 3"
SYNOPT="-m limit --limit 5/second --limit-burst 10"

if [ ! -x $IPT ]
then
    die "firewall: can't execute $IPTABLES"
fi


############################################
## System Settings
############################################
##enable echo broadcast protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

##disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

##enable tcp SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

##Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

##Don't send ICMP Redirects
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

##drop spoofed packets coming into an interface
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

##log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
done


############################################
## Default Policies
############################################
##set default table policies
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP

## $IPT -t nat --policy PREROUTING DROP
## $IPT -t nat --policy OUTPUT DROP
## $IPT -t nat --policy POSTROUTING DROP

## $IPT -t mangle --policy PREROUTING DROP
## $IPT -t mangle --policy OUTPUT DROP

##remove any existing rules
$IPT -F
## $IPT -t nat -F
## $IPT -t mangle -F

###remove pre-existing user chains
$IPT --delete-chain
## $IPT -t nat --delete-chain
## $IPT -t mangle --delete-chain


############################################
## LOGGING CHAINS
############################################
$IPT -N LDROP
$IPT -A LDROP -j LOG --log-prefix "IPT Drop:  " $LOGOPT
$IPT -A LDROP -j DROP

$IPT -N LBADIP
$IPT -A LBADIP -p tcp --dport 137:139 -j DROP
$IPT -A LBADIP -p udp --dport 137:139 -j DROP
$IPT -A LBADIP -j LOG --log-prefix "IPT BADIP:  " $LOGOPT
$IPT -A LBADIP -j DROP

$IPT -N LSHUN
$IPT -A LSHUN -j LOG --log-prefix "IPT SHUNIP:  " $LOGOPT
$IPT -A LSHUN -j DROP

$IPT -N LFLOOD
$IPT -A LFLOOD -j LOG --log-prefix "IPT Flood:  " $LOGOPT
$IPT -A LFLOOD -j DROP

$IPT -N LFLAGS
$IPT -A LFLAGS -j LOG --log-prefix "IPT BADFLAGS:  " $LOGOPT
$IPT -A LFLAGS -j DROP

############################################
## BAD IPS
############################################
$IPT -N BADIP
for ip in $BADIP; do
    $IPT -A BADIP -s $ip -j LBADIP
    $IPT -A BADIP -d $ip -j LBADIP
done


############################################
## Shunned IPS
############################################
$IPT -N SHUN
for ip in $SHUNIP; do
    $IPT -A SHUN -s $ip -j LSHUN
    $IPT -A SHUN -d $ip -j LSHUN
done


############################################
## Traffic COUNTing table
############################################
$IPT -N COUNT
$IPT -A COUNT                                ##should count all traffic
$IPT -A COUNT -p udp --dport 5121    ##game server traffic
$IPT -A COUNT -p udp --sport 5121    ##game server traffic


############################################
## SYN FLood Protection
############################################
$IPT -N FLOOD

##accepts datagrams at limited rates only
$IPT -A FLOOD $SYNOPT -j RETURN
$IPT -A FLOOD -j LFLOOD


############################################
## TCP Flag Validation
############################################
$IPT -N FLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,FIN FIN -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,PSH PSH -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,URG URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL ALL -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL NONE -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LFLAGS

#THE REST OF THE COMBINATIONS ARE VALID


############################################
## input
############################################
$IPT -N IN
$IPT -A IN -m state --state INVALID -j DROP
$IPT -A IN -p tcp --syn -j FLOOD
$IPT -A IN -p tcp -j FLAGS
$IPT -A IN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A IN -s $IP -j LDROP

##accept ssh connections
$IPT -A IN -p tcp --dport 22 -m state --state NEW -j ACCEPT

##accept www connections
$IPT -A IN -p tcp --dport 80 -m state --state NEW -j ACCEPT

##accept game server traffic
$IPT -A IN -p udp --dport 5121 -m state --state NEW -j ACCEPT

##drop AUTH
$IPT -A IN -p tcp --dport 113 -j DROP  #just drop. dont bother logging

############################################
## output
############################################
$IPT -N OUT
$IPT -A OUT -p tcp -j FLAGS
$IPT -A OUT -s ! $IP -j LDROP
$IPT -A OUT -m state --state ESTABLISHED,RELATED -j ACCEPT        

##allow all output not explicitly blocked
$IPT -A OUT -m state --state NEW -j ACCEPT        #commented out...hope it works without it...

$IPT -A OUT -m state --state NEW -p tcp --dport 22 -j ACCEPT    #ssh
$IPT -A OUT -m state --state NEW -p tcp --dport 25 -j ACCEPT    #smtp
$IPT -A OUT -m state --state NEW -p tcp --dport 53 -j ACCEPT    #dns
$IPT -A OUT -m state --state NEW -p tcp --dport 80 -j ACCEPT    #http
$IPT -A OUT -m state --state NEW -p tcp --dport 443 -j ACCEPT    #https
$IPT -A OUT -m state --state NEW -p tcp --dport 873 -j ACCEPT    #rsync

$IPT -A OUT -m state --state NEW -p udp --dport 53 -j ACCEPT    #dns


############################################
## ICMP Inbound
############################################
$IPT -N IN_ICMP

##allow pings
$IPT -A IN_ICMP -p icmp --icmp-type echo-request -d $IP -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type echo-reply -d $IP -j ACCEPT

$IPT -A IN_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT


############################################
## ICMP Outbound
############################################
$IPT -N OUT_ICMP

##allow pings
$IPT -A OUT_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type echo-request -j ACCEPT

$IPT -A OUT_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT


############################################
## Connecting rules for built-in chains
############################################
##unlimited traffic on local interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A INPUT -j BADIP
$IPT -A INPUT -j SHUN
$IPT -A INPUT -j COUNT
$IPT -A INPUT -p ! icmp -j IN
$IPT -A INPUT -p icmp -j IN_ICMP
$IPT -A INPUT -j DROP

$IPT -A OUTPUT -j BADIP
$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -j COUNT
$IPT -A OUTPUT -p ! icmp -j OUT
$IPT -A OUTPUT -p icmp -j OUT_ICMP
$IPT -A OUTPUT -j DROP

"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#11 2004-08-14 08:24:08

morphus
Member
From: Braunschweig
Registered: 2003-08-06
Posts: 145

Re: Do you use a firewall?

Since I don't want to do work twice, I use Arno's IPTABLES firewall [1] script on my router (arch smile ), and nothing on my workstations. It is rather easy to setup and to change.

But I would recommend that you check the computer you have just sealed with a port scanner like nmap. 

[1] http://rocky.molphys.leidenuniv.nl/

Offline

#12 2004-08-14 22:39:12

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Do you use a firewall?

already done that several times..
and nessus, and other things.. wink


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#13 2004-09-05 16:29:37

oscar
Member
From: Linköping, Sweden
Registered: 2004-08-13
Posts: 457

Re: Do you use a firewall?

fetch yourself a nice box, install OpenBSD on it and share the joy of pf!
iptables isn't stateful, and it takes a expert to configure it and all the parameters you need to even use it.
pf is stateful, and a great, working conf takes like 30 lines simple lines.


To err is human... to really foul up requires the root password.

Offline

#14 2004-09-05 18:37:56

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Do you use a firewall?

I'm pretty sure iptables is stateful... that's how you can say, "only allow packets in from active connections".

I wouldn't argue that it's difficult to configure though.


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#15 2004-09-05 20:31:08

itlain
Member
Registered: 2004-08-22
Posts: 12

Re: Do you use a firewall?

I use IpCop, works great and is pretty secure plus its really easy to configure and allow what I want to go in and out. Does firewall via iptables and also has squid for web caching and squidguard takes care of ads. Plus easily administered since its linux based, but it takes a dedicated box.

Offline

#16 2004-09-06 04:02:50

sarah31
Member
From: Middle of Canada
Registered: 2002-08-20
Posts: 2,975
Website

Re: Do you use a firewall?

i use a firewall on my router box. i am not good with iptables so when i have problems (like allowing ports 6881 - 6999 for bt) i am stuck.


AKA uknowme

I am not your friend

Offline

Board footer

Powered by FluxBB