Firewall needed?

schneida · 2011-03-23 15:10:40

Hello!

I'm wondering if one should install some kind of firewall on an Arch machine running as a server? From what I've seen this topic is discussed quite controversially. Some say it's a must have while others argue, that Linux should be safe, as long as you don't install any services that shouldn't be opened to the outside world.

I'm currently running a server without any firewall, having SSHD, Apache, Bind, VSFTPD running. SSH is protected by Fail2Ban and I'm planning to activate Fail2Ban also for FTP. SSH has root access disabled and I consider my 25 char password as reasonably safe too. That should protect me from most BruteForce attacks.

I do have Webmin installed too, but it only listens to 127.0.0.1:10000 which I connect to through a ssh tunnel.

The reason why I didn't install a firewall yet, is because there is nothing to be done by a packet filter like iptable. Traffic to said services should be allowed for any IPs anyway and as long as no program opens a port to the outside world (which won't happen as long as I don't install any new services) there shouldn't be a problem. The only thing the firewall could do is drop any traffic except those ports, which is done anyway, because all other ports aren't opened.

So what do you mean, is my setup reasonably safe or what could a firewall do for me?

SanskritFritz · 2011-03-23 15:58:58

Fail2Ban sets iptables rules, so if you dont have iptables, it wont do any protection IMHO. If you dont want to use iptables go with denyhosts, which adjusts the hosts.deny file.

zenlord · 2011-03-24 18:05:11

I could be wrong, but if a daemon on your system has a bug that is exploitable (f.e. a bug that makes it listen on a port), then you are vulnerable without knowing it until the bug is found, squashed and you updated your system.

If you have a firewall between the vicious internet and your server, I guess you're safe from those issues. A bug in a program will not cause it to AND listen on a port AND open up that port to the outside world (unless of course it is malware and that bug is not a bug, but a feature...)

This might be reaching to prove a point, but I don't think it would hurt to install and *properly* configure a firewall. Better safe than sorry.

dmg · 2011-03-24 22:02:05

Why not set iptables (you dont need a frontend) and maybe put ssh guard for ssh access. You have a really nice wiki on

https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall

You will set it in 2 minutes and also learn something.

schneida · 2011-03-25 18:36:51

Thanks for your replies! I've found some other infos about firewalls on the net too, but what made me really setup one, is a comment from one user who says, that by installing a firewall you are going from a "Everything is allowed except what isn't explicitly forbidden" to a "Everything is forbidden what isn't explicitly allowed" principle. The latter is certainly the better!

I looked at the link dmg provided. It looked a little bit to complex for my needs (especially because you'll loose ssh connectivity while setting it up, which would make it impossible for me to continue with the setup), but I've found some very good information here https://help.ubuntu.com/community/IptablesHowTo I extended that setup a little bit and adapted it to my needs. Basically, everything gets dropped now, except those few ports that I explicitly open.

I also tried ufw, but that seems to be really broken in Virtual Environments, as it makes everything EXTREMLY slow and shows a lot of error messages.

Thanks for all you comments!!

a_neutrino · 2011-03-27 01:24:50

You can do "everything is forbidden except what isn't explicitly allowed" with host access files. From man hosts_access:

MOSTLY CLOSED
In this case, access is denied by default. Only explicitly authorized hosts are permitted access.
The default policy (no access) is implemented with a trivial deny file:
/etc/hosts.deny:
ALL: ALL
This denies all service to all hosts, unless they are permitted access by entries in the allow file.
[...]

This is the default in Arch.

schneida · 2011-03-27 07:15:34

Hm, interesting. I don't think that this works on my machine. I do have the default ALL: ALL in hosts.deny and I have SSHD: ALL in hosts.allow. Still I can access FTP, HTTP, DNS,... from outside without any issues.

thestinger · 2011-03-27 21:02:28

hosts.deny is part of libwrap (tcp_wrappers package) and only works for stuff compiled against it (ssh, mpd, syslog-ng, pulseaudio, etc. in arch)

You're much better off using netfilter (iptables), libwrap is basically obsolete.

https://secure.wikimedia.org/wikipedia/en/wiki/Libwrap

The Simple Stateful Firewall article might look a bit intimidating at first glance, but that's because it explains what each of the rules does in detail. You'll just end up with something like this:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NEW - [0:0]
:TCP - [0:0]
:UDP - [0:0]
:ICMP - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -j NEW

-A NEW -p udp -j UDP
-A NEW -p tcp -j TCP
-A NEW -p icmp -j ICMP
-A NEW -j REJECT --reject-with icmp-proto-unreachable

-A TCP -p tcp --syn -m multiport --dports 1720,7777 -j ACCEPT
-A TCP -p tcp -j REJECT --reject-with tcp-reset

-A UDP -p udp --dport 1720 -j ACCEPT
-A UDP -p udp -j REJECT --reject-with icmp-port-unreachable

-A ICMP -p icmp --icmp-type 8 -s 192.168.2.0/24 -j ACCEPT
-A ICMP -j DROP

COMMIT

Anyway, a firewall gives you essentially no extra security. Dropping invalid packets might protect against a kernel exploit, but there could always be a vulnerability in netfilter itself. All a firewall does is add the extra step of opening a port in the firewall to make a service available to the world, which at most is going to protect you against a vulnerable program that you don't realize is listening for connections, like X11.

You could actually improve your security by switching to SSH keys, running ssh on a random port, making sure all your services like bind and apache run as unprivileged users, using DNSSEC, etc. You can turn on source verification and disable stuff like forwarding and insecure redirects with sysctl (https://wiki.archlinux.org/index.php/Sy … _hardening), no firewall needed.

Last edited by thestinger (2011-03-27 21:18:56)

brebs · 2011-03-28 01:36:30

schneida wrote:

what could a firewall do for me?

It can ban all the hacking attempts that you'll inevitably get from China and Russia, so your server logfiles don't get full of it.

And it's an additional level of security. Linux software contains security bugs, including the kernel (example), so it's sensible to add multiple layers.

dmg · 2011-03-28 10:30:39

Also check these (no root at console, lock user after three failed attempts, password hashes):

https://wiki.archlinux.org/index.php/Category:Security_%28English%29

https://wiki.archlinux.org/index.php/Hardening_Guides

or even Bastille:

https://help.ubuntu.com/community/BastilleLinux

but you dont need all this stuff anyway, you will just end up breaking something in the process. I guess you are running this behind a router with a built-in firewall. That should be enough with some minor tweaks.

Arch Linux

#1 2011-03-23 15:10:40

Firewall needed?

#2 2011-03-23 15:58:58

Re: Firewall needed?

#3 2011-03-24 18:05:11

Re: Firewall needed?

#4 2011-03-24 22:02:05

Re: Firewall needed?

#5 2011-03-25 18:36:51

Re: Firewall needed?

#6 2011-03-27 01:24:50

Re: Firewall needed?

#7 2011-03-27 07:15:34

Re: Firewall needed?

#8 2011-03-27 21:02:28

Re: Firewall needed?

#9 2011-03-28 01:36:30

Re: Firewall needed?

#10 2011-03-28 10:30:39

Re: Firewall needed?

Board footer