iptables not popular?

thunderogg · 2009-02-24 04:04:33

I too found iptables too complicated to use, but then I ran across this Debian Lenny review: http://technichristian.net/?p=842 which has a very simple way of configuring iptables at least for me who only have a notebook. I use it in my Lenny installation, but it should be usable for ArchLinux as well. It took me 3 minutes to configure it, and I don't know anything about iptables. Maybe it can be of help to someone.

lardon · 2009-02-24 07:47:07

I really don't see the point of using a firewall, at least on my personal desktop machine. Most of my ports are closed, I spend most time behind a nat, and most importantly, I've never heard of anyone getting hacked on arch linux. If I start hearing reports of successful remote exploits, I might reconsider my position, but for now, I think a firewall is basically useless.

moljac024 · 2009-02-24 10:27:12

lardon wrote:

... I've never heard of anyone getting hacked on arch linux. ...

Just the overlord.

broch · 2009-02-24 17:18:41

I have a *managed* firewall / intrustion detectiong system at home and still run iptables on all my servers / desktops. If one my my servers is compromized, I want to limit the damage they can do to my desktop for example.

shrug,
you need to set up DMZ for servers, by definition servers are exposed to the hostile environement.
you should also use jail to minimize the damage

firewall and auditing are fine but not all tools that you should consider when protecting servers.

... I've never heard of anyone getting hacked on arch linux. ...

you need to search forums few years back.

There is no such thing as 100% secure OS. Still there are options more secure than linux (by default installation). However all is in the hands of administrator. The number of compromised systems is in par withe the % of systems running on the net. There is more windows desktops (including compromised) and more unix servers (including compromised and including linux).
The philosophy of not using firewall at all comes from old good times when most users were hapily running bot windows.

The whole point of security is to minimize the damage not to completely prevent it.
One can drive without safety belts or with safety belts. Still even with safety belts people are dying in accidents. So it is all up to you how much you are willing to increase the chance of surviving the accident
Or one can assume that eventually everybody dies.

fukawi2 · 2009-02-24 21:37:55

broch wrote:

you need to set up DMZ for servers, by definition servers are exposed to the hostile environement.
you should also use jail to minimize the damage

I have 1 of my servers in a DMZ, but my File Server lives on the LAN at the moment. I used to have it on the LAN because my managed firewall didn't have gagibit NICs, so putting it in the DMZ would have reduced me to 100mbps (which SUCKS. I hate 100mbps networks ). The firewall has gigabit NIC's now so I really should move it over to the DMZ. In fact, I think I'll do that tomorrow night

Last edited by fukawi2 (2009-02-24 21:38:57)

jerik · 2009-03-03 14:12:13

So, as someone who's not so competent... is it ok to run a deafult arch/linux installation with out firewall? I do have some documets around that I like to be for my eyes only, not that it's a matter of national security, but I'd like to know that they are quite safe.

sujoy · 2009-03-03 18:07:39

I have no external services running, ftp and ssh only allows local IPs to connect. However, I still use iptables, since I believe in taking maximum precaution.

blackhole · 2009-03-03 23:09:03

Yeah, software firewalls don't seem to be popular. I've asked a firewall related question at http://bbs.archlinux.org/viewtopic.php?id=65790 and nobody answered. Still hoping though. ;-) *cheekilyabusingthisthread*

dyscoria wrote:

Before Linux, I didn't spend a minute on XP without Zonealarm pro, and i haven't spent a minute on Linux without an iptables ruleset running.

Do you use any GUI frontend to iptables? Is firestarter still the most popular / best one?

Last edited by blackhole (2009-03-03 23:20:01)

JGC · 2009-03-03 23:44:06

I see no reason to run iptables on my desktop boxes. I see no reason to run it on some servers either. As long as you know what's running, you need no firewall on linux.

The only firewall I use is OpenBSD's pf. Not because I need a firewall, but because I need something that can do NAT and routing for me.
BTW: Ever compared /etc/pf.conf on an OpenBSD box with the 20 lines of iptables commands you need for a common firewall? Guess which is more readable

fukawi2 · 2009-03-04 02:14:17

Am I the only one who doesn't think iptables is that complicated once you learn it?

ataraxia · 2009-03-04 03:37:58

iptables takes a lot more learning than pf, ipf, or ipfw. Those three are also fairly similar, but coming from any of them makes iptables look martian.

Napaim · 2009-03-09 22:24:24

I've been meaning to learn iptables properly for my server's use, not got round to it though.
It's not likely to be much of an issue for me at home with the router firewall working as it should!

dyscoria · 2009-03-09 22:30:06

i learnt iptables once.... and now have a script to set the rules which never change so now i don't really know how to use iptables anymore

KimTjik · 2009-03-09 23:42:16

I did start using m0n0wall back in my windows' days, and still does. In the past I've used Intel nics and hardware about Intel PII to PIII performance (overkill for sure if you ain't got really heavy load, which you seldom have at home), but some time ago I bought an ALIX motherboard with three 100MBit ports and continue to run m0n0wall.

In other words, ip-tables feels like overkill at the moment. I have several services running on one of my computers to access it and/or media from the Internet as well, but besides strict access control, weird custom ports and m0n0wall I doubt I'm in need of anything more. I could be wrong, am I?

sriehl · 2009-03-10 16:33:05

I use iptables, but I don't write the rules directly. I use a script called firehol. This is an easy to read/configure config file that the script parses to write all the iptables rules.

fukawi2 · 2009-03-10 22:00:23

Hmmm, firehol... Looks similar to the firewall parser language we use for iptables at my work. I'll have to look further into that, thanks for the heads up sriehl

Sjoden · 2009-03-10 22:45:42

fukawi2 wrote:

Am I the only one who doesn't think iptables is that complicated once you learn it?

Nope. But then again I've done ACLs on Cisco boxes at college for fun(and will at home when I finished modding my server rack , need to mount those 2800s).

First thing I do when I set up an Arch box is put a couple of iptables rules on there. Default DROP policy on input and forward, and only allow lo and established,related traffic. I never install while connected to a network, and don't connect until after I do the above in iptables.

Last edited by Sjoden (2009-03-10 22:48:04)

Janusz11 · 2009-03-12 08:21:51

KimTjik wrote:

I did start using m0n0wall back in my windows' days, and still does. In the past I've used Intel nics and hardware about Intel PII to PIII performance (overkill for sure if you ain't got really heavy load, which you seldom have at home), but some time ago I bought an ALIX motherboard with three 100MBit ports and continue to run m0n0wall.

Same here; I have an ALIX board with m0n0wall set up, so I feel no need to set up a "desktop firewall" as well.

fukawi2 · 2009-03-12 21:50:03

OK, well to maybe conclude this topic, what I'm reading is that most people are happy with generally trusting all the other hosts on their own internal network, and just keep one firewall between the whole network and the internet.

I must just be more paranoid than everyone else -- maybe I should have picked up on that when I completely isolated my sole remaining Windows box to a completely separate network segment

ralvez · 2009-03-12 22:23:29

fukawi2 wrote:

OK, well to maybe conclude this topic, what I'm reading is that most people are happy with generally trusting all the other hosts on their own internal network, and just keep one firewall between the whole network and the internet.
I must just be more paranoid than everyone else -- maybe I should have picked up on that when I completely isolated my sole remaining Windows box to a completely separate network segment

If it does make you feel better, you are not alone.
I'm amazed at some of the comments in this thread! It is a well know fact that most attacks on users occur from within their own network but is seems that most people feel very comfortable not running a FW because they use Linux. What kind of warranty is that?!
While Linux is most secure than Windows, any network security expert will tell you that nothing is immune in a LAN/WAN ... all depends on the determination of the attacker.
Aside from that most attacks are based on exploitable bugs in packages, and letting your machine wide open is just an invitation to "evil doers". While it is true that if you are not running services you are more protected, there is no disputing the fact, that if you have a firewall (especially if you run in on "paranoid mode" ) you cannot be "seen", therefore, cannot be attacked.

I'm all for using firewalls, especially if your system goes to the web... and so far (touching wood ) I have never been compromised.

R.

zodmaner · 2009-03-12 22:53:27

I'm also using Iptables on all of my machines (one desktop and two laptops).

While I do have a hardware firewall at home (though not a very good one), I share both fukawi2 and ralvez opinion: too much security is never a bad thing.

Also, while I may not need Iptables at home, I'm sure having a firewall on my laptops when I take one of them to the university or some random wifi hotspot is a lot safer than having no firewall at all. Especially so if I run some service (like sshd) on my laptop.

But still, 48% is not that bad. Considered that almost all of the people that I know won't even bother with a firewall at all
PS. Also, I never understood when people complain that Iptables is hard to use. I mean, we have already a very nice wiki's article on how to setup a firewall using Iptables.

Last edited by zodmaner (2009-03-12 23:13:51)

fumbles · 2009-03-13 01:40:12

Hmm that is odd, Windows has a firewall enabled by default nowadays. It just seems silly not to have one for Linux. It is easier to make a Linux machine vulnerable then a Windows one.

Iptables is fairly simple. For a home computer it's absolutely basic!

Last edited by fumbles (2009-03-13 01:42:59)

Ranguvar · 2009-03-13 02:02:02

You're forgetting a couple things

iptables is indeed simple and basic, but I fail to see where that's a problem. Remember, a firewall's purpose is to block stuff - that's all. iptables is a way to do that. It might not be the most elegant tool for doing complex filtering, but that's where you would install something else, which might use iptables as the backend. And this is Arch - I'm sure many Linux distros do install a high-level firewall, but Arch's goal is to be simple and minimal out of the box. This isn't even really a problem with Arch - as others mentioned before, Arch comes by default with all ports closed. So unless you open some yourself, nothing to worry about

Daenyth · 2009-03-13 02:08:46

Keep in mind that by default, Arch has no ports listning, AND has hosts.deny set to block all incoming connections. It would be overkill to use iptables for users who don't run servers.

blackhole · 2009-03-13 06:39:49

Those people who've been speaking in favour of iptables so far, are you guys all configuring iptables manually or are you using any frontends? I'm stilling trying to find a nice and easy frontend. At the moment I think I will give FireHOL a try. What do you think about FireHOL? Any experiences with it out there?

Last edited by blackhole (2009-03-13 06:40:10)

Arch Linux

#26 2009-02-24 04:04:33

Re: iptables not popular?

#27 2009-02-24 07:47:07

Re: iptables not popular?

#28 2009-02-24 10:27:12

Re: iptables not popular?

#29 2009-02-24 17:18:41

Re: iptables not popular?

#30 2009-02-24 21:37:55

Re: iptables not popular?

#31 2009-03-03 14:12:13

Re: iptables not popular?

#32 2009-03-03 18:07:39

Re: iptables not popular?

#33 2009-03-03 23:09:03

Re: iptables not popular?

#34 2009-03-03 23:44:06

Re: iptables not popular?

#35 2009-03-04 02:14:17

Re: iptables not popular?

#36 2009-03-04 03:37:58

Re: iptables not popular?

#37 2009-03-09 22:24:24

Re: iptables not popular?

#38 2009-03-09 22:30:06

Re: iptables not popular?

#39 2009-03-09 23:42:16

Re: iptables not popular?

#40 2009-03-10 16:33:05

Re: iptables not popular?

#41 2009-03-10 22:00:23

Re: iptables not popular?

#42 2009-03-10 22:45:42

Re: iptables not popular?

#43 2009-03-12 08:21:51

Re: iptables not popular?

#44 2009-03-12 21:50:03

Re: iptables not popular?

#45 2009-03-12 22:23:29

Re: iptables not popular?

#46 2009-03-12 22:53:27

Re: iptables not popular?

#47 2009-03-13 01:40:12

Re: iptables not popular?

#48 2009-03-13 02:02:02

Re: iptables not popular?

#49 2009-03-13 02:08:46

Re: iptables not popular?

#50 2009-03-13 06:39:49

Re: iptables not popular?

Board footer