I finally got 9.04 installed and i forgot how I got the firewall I had in the last version. What is an easy to set up firewall for Ubuntu???

Open the Terminal and type: sudo ufw enable

You're done.

Thanks. But now it seems like the internet is constantly trying to connect. :( Oh and the firewall icon is not appearing.

There's no icon. All ufw configuration is done via command line.

IIRC the fwbuilder package adds a GUI frontend to ufw, but I've never found the need to use it, so I can't tell you much about it.

The firewall is installed by default, it's a kernel module called iptables.
In Ubuntu, it's not running by default, as the default install has no services listening to the external world. You can activate it using command line or go for a frontend like gufw.
Mrk

-{ Quote: "The firewall is installed by default, it's a kernel module called iptables.
In Ubuntu, it's not running by default, as the default install has no services listening to the external world. You can activate it using command line or go for a frontend like gufw.
Mrk" }-
You're kidding right? So virtually all Ubuntu users are unsuspectingly going on to the web naked, without their firewall running?

Kidding, no. Naked, why naked? You don't have services listening, so why do you need a firewall. And if you have services listening, for instance p2p apps, then the ports will have to be open even if you use a firewall, so it really does not make any difference.

Why do you need firewall if all your ports are closed?

Mrk

-{ Quote: "....Why do you need firewall if all your ports are closed?
Mrk" }-
Missed that part.

But I believe in PCLOS2009.1 at least. The default is ShoreWall installed & running.

-{ Quote: "But I believe in PCLOS2009.1 at least. The default is ShoreWall installed & running." }-
The thing about firewalls is that Windows has scared many people into thinking that one is absolutely necessary. It's not. If you know how to manage ports and services properly (and Linux leaves them closed by default), a firewall is probably only as necessary as an antivirus.

I for one wouldn't want a firewall running, I am behind a router and therefore don't need any redundant filtering.

sudo ufw enable
sudo ufw default deny

https://wiki.ubuntu.com/UbuntuFirewall
https://wiki.ubuntu.com/UbuntuFirewallSpec

and

https://help.ubuntu.com/9.04/serverguide/C/firewall.html

The created rules can be viewed with

sudo iptables -L

Firewall... umm can't remember the last time I needed one in ubuntu...

But then again... if your not running "ANYTHING" that would require you to, no need to worry ;)

Cheers.

If you are not running some form of iptables rules, and you are not using a hardware router w/firewall (setup to drop unrequested packets), then no packets will be dropped - i.e. you are running naked on the Internet - not that it will make you a target by malware looking for vulnerable Windows systems. You will be vulnerable to Linux oriented rootkits and other malware, e.g. malformed packets which follow up by dropping their payload and stealthing their presence on your system. Best to run the following iptables rules even if your router has good firewall protection as a part of a security strategy that is multi-layered to protect your computer.

For ubuntu, I recommend the restricted Beginners' iptables scripts at:
HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition] (http://ubuntuforums.org/showthread.php?t=159661). Note: Read all of the pages of the thread.

Or, you can chose to download and install Firestarter and set it up to boot on power up.

-- Tom

Hey Tom,

You do make a good point. The guide looks good. Interesting pointers.

Cheers,
fluxgfx

-{ Quote: "

But I believe in PCLOS2009.1 at least. The default is ShoreWall installed & running." }-

I don't know if it's ShoreWall; it's under Control Center. By "default" "Everything (no firewall) is enabled. I've modified the settings a bit, even though I'm sure it's not necessary because I'm behind a router, but I do it for fun. It's also set to warn if someone attempts to access services or intrude the computer, this latter setting of which I believe is set as default.

Hi wat0114,

Shorewall firewall is usually used for networks rather than personal computer firewalls given that it can handle zones.

You should check your router to see how well stealthed it is, by visiting nmap-online.com to conduct a few tests, i.e. your router (every power-on) will probably get a new IP address from DHCP if that is how you have it setup rather than with a static IP address.

When I had FiOS installed, I had to do a bit of work to stealth my router, but the doc was good and I soon found most all of the loopholes. My router uses the real-time embedded Linux known as Buzybox with enhancements made by the ISP. Buzybox has had a lot of firmware updates since I got the service installed, but no updates so far from the ISP.

-- Tom

If something malicious were to be installed, wouldn't a firewall be nice to prevent any incoming connections to be established?

Also, isn't firewall code more tested against network attacks than the kernel itself?

-{ Quote: "

You should check your router to see how well stealthed it is, by visiting nmap-online.com to conduct a few tests, i.e. your router (every power-on) will probably get a new IP address from DHCP if that is how you have it setup rather than with a static IP address.

" }-

Hi Tom,

my router comes up stealth on all but 113, which is closed. That's good enough for me :) My ISP tends to never change my router's WAN-side ip address; it has stayed the same for 8 months after our hook-up. I've also safely disabled a few of the daemons/services from starting up. Maybe a few few more later when I take the time to look, as I'm still well immersed in "learning mode" with Linux.

Thanks got the UFW firewall enabled. :) Went to the shields up and got all green but failed on ping.

If one really wanted to... they could setup a firewall box running only the iptable and set it up. Very easy to do and implement changes if needed via the command line. I guess my old PII is doing the job :) all port shown as filtered. One could potentially setup the UPNP service on the box to allow certain programs to make use of the request to open ports when needed but thats up to you.

-{ Quote: "You will be vulnerable to Linux oriented rootkits and other malware, e.g. malformed packets which follow up by dropping their payload and stealthing their presence on your system. " }-

How exactly would a malformed packet drop its payload on my Linux box? It would not have write access to any root directory in order to do so. At any rate, If you wanted to ensure that such malformed packets wouldn't have any chance at all, you can edit /etc/sysctl.conf and add:

net.ipv4.icmp_echo_ignore_broadcasts=1 (stops bogus icmp packets)
net.ipv4.icmp_ignore_bogus_error_messages=1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 0 (stops forwarding)
net.ipv4.conf.all.accept_source_route=0 (stops spoofed packets)

Secondly, I am not aware of any Linux malware that is a threat in the wild. If you have examples, please elucidate.

-{ Quote: "Best to run the following iptables rules even if your router has good firewall protection as a part of a security strategy that is multi-layered to protect your computer." }-

It's redundant to run iptables locally when NAT'ed behind a dedicated firewall that blocks all incoming packets. All you are doing is wasting memory.

I do think it's a good idea to configure IPtables to block all incoming packets IF you are not behind a hardware firewall. However, if someone is an advanced enough user to know how to harden a box (turn off all listening services, etc.) then I am not going to complain if they don't run a firewall at all, especially if the machine is a desktop box.

I am not trying to brush off security here. My Fedora box is essentially a fortress made of concrete and steel (SELinux is enabled, it's running behind an iptables hardware firewall, has all listening services turned off, has no suid binaries, and achieves a perfect "passed" rating on level 4 of sectool).

The most important thing an average desktop user can do is twofold:

1) Never run as root, especially while connected to the Internet
2) Always install all software from the distro repositories.

-{ Quote: "I don't know if it's ShoreWall; it's under Control Center. By "default" "Everything (no firewall) is enabled." }-

So I thought, but a look in PCC shows no boxes checked. But neither do I see shorewall running in KDE system guard, KCC service manager, or PCC services.

-{ Quote: "So I thought, but a look in PCC shows no boxes checked. ." }-

Interesting nothing is enabled in your setup, because I know that in two separate installs (different machines) Everything (no firewall) is enabled for me ???

On my 2007 installs, the no firewall option was always checked off, and this was the first time I opened up the firewall settings in 2009. I am behind a router/firewall and just assumed it was checked off. Oh well, it is now. I think I will post this over at the PCLOS forum to see if anyone else experienced this.

Edit: Of course, the forum seems like its down right now.

-{ Quote: "

The most important thing an average desktop user can do is twofold:

1) Never run as root, especially while connected to the Internet
2) Always install all software from the distro repositories." }-

Well said. I fully agree with your post.:thumb:

-{ Quote: "How exactly would a malformed packet drop its payload on my Linux box? It would not have write access to any root directory in order to do so. At any rate, If you wanted to ensure that such malformed packets wouldn't have any chance at all, you can edit /etc/sysctl.conf and add:

net.ipv4.icmp_echo_ignore_broadcasts=1 (stops bogus icmp packets)
net.ipv4.icmp_ignore_bogus_error_messages=1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 0 (stops forwarding)
net.ipv4.conf.all.accept_source_route=0 (stops spoofed packets)

Secondly, I am not aware of any Linux malware that is a threat in the wild. If you have examples, please elucidate.



It's redundant to run iptables locally when NAT'ed behind a dedicated firewall that blocks all incoming packets. All you are doing is wasting memory.

I do think it's a good idea to configure IPtables to block all incoming packets IF you are not behind a hardware firewall. However, if someone is an advanced enough user to know how to harden a box (turn off all listening services, etc.) then I am not going to complain if they don't run a firewall at all, especially if the machine is a desktop box.

I am not trying to brush off security here. My Fedora box is essentially a fortress made of concrete and steel (SELinux is enabled, it's running behind an iptables hardware firewall, has all listening services turned off, has no suid binaries, and achieves a perfect "passed" rating on level 4 of sectool).

The most important thing an average desktop user can do is twofold:

1) Never run as root, especially while connected to the Internet
2) Always install all software from the distro repositories." }-
Hi chronomatic,

Malformed packets are a way of breaking past a hardware firewall's protection. I assumed there are many variations. If one is careless enough to surf as root, then the system could very easily be stealthed against detecting the presence of a rootkit - perhaps of the "blue pill" variety - reference Invisible Things Lab.

Just because you are not aware of any Linux malware that is a threat in the wild does not mean there is none and that your system is safe from any.

A very competent former OS colleague of mine told of not keeping his Linux distro up-to-date on security patches. He got infected with the SuckIt rootkit. He also learned a good lesson for his oversight.

Redundancy has an honored place in engineering solutions to many problems in the real world. The idea of security is a multi-layered approach to protect the royal jewels from getting nicked. Depending on the value of the data being protected, the notion of wasting memory is not the central idea regarding security. Even if you are protected by hardware NAT that drops all packets, it is just as easy to drop malware from within a network via USB, or, for example, if you are confident about your wired access, but also run wireless that you haven't quite locked down, perhaps a neighbor could acquire the use of your computer through wireless channels and drop an egg on your system as a prank.

It does look like you are well protected, so don't relax just because you are! There are always weak links with computers that connect - browser vulnerabilities that have yet to be discovered by the white hats which the black hats are pushing into the wild - they want your money and your identity.

-- Tom

-{ Quote: "Hi chronomatic,

Malformed packets are a way of breaking past a hardware firewall's protection. I assumed there are many variations. If one is careless enough to surf as root, then the system could very easily be stealthed against detecting the presence of a rootkit - perhaps of the "blue pill" variety - reference Invisible Things Lab." }-

Exactly. IF one is careless enough to surf as root!

-{ Quote: "Just because you are not aware of any Linux malware that is a threat in the wild does not mean there is none and that your system is safe from any." }-

Name one piece of Linux malware in the wild that is widespread. You can't listen to the AV companies like Symantec -- they constantly decry that Linux is entering a period of virus doom (and have been saying this for at least 10 years) but it has yet to happen. Why would Symantec do this, you ask? Well, as someone else once said, because naive Linux users have money too.

-{ Quote: "A very competent former OS colleague of mine told of not keeping his Linux distro up-to-date on security patches. He got infected with the SuckIt rootkit. He also learned a good lesson for his oversight." }-

A rootkit is not malware, it must be planted physically by an attacker who already has root access. If you have a rootkit on your system, you have been compromised through some other hole, thus the rootkit itself is the least of your problems.

-{ Quote: "Redundancy has an honored place in engineering solutions to many problems in the real world. The idea of security is a multi-layered approach to protect the royal jewels from getting nicked. Depending on the value of the data being protected, the notion of wasting memory is not the central idea regarding security. " }-

I still maintain that running a frontend for iptables on a machine that is already behind a dedicated hardware iptables firewall is superfluous. It isn't "layered," it is pointless.

-{ Quote: " Even if you are protected by hardware NAT that drops all packets, it is just as easy to drop malware from within a network via USB, or, for example," }-

This scenario doesn't apply to the vast majority of home users. In the enterprise, yes, physical security practices need to be taken to ensure that a malicious employee doesn't reboot the system, run a livecd, and drop a rootkit. But if a malicious person has physical access to the machine (along with a liveCD to bypass the root restrictions) then it's game over anyway. But this malicious person must have a way of rebooting the system without anyone noticing. He cannot simply load a USB key into a running machine and drop malware on it. Why? Because he won't have root access to the machine.

-{ Quote: " if you are confident about your wired access, but also run wireless that you haven't quite locked down, perhaps a neighbor could acquire the use of your computer through wireless channels and drop an egg on your system as a prank." }-

Doubtful that will happen to me. I run WPA2 Personal with AES and a 63 character random password, as well as MAC filtering, static DHCP, and I only allow 1 wireless connection to my router. I also only allow rsa key access to my ssh daemon and that can only be done locally. Telnet is turned off as well.

-{ Quote: "It does look like you are well protected, so don't relax just because you are! There are always weak links with computers that connect - browser vulnerabilities that have yet to be discovered by the white hats which the black hats are pushing into the wild - they want your money and your identity.

-- Tom" }-

Broswer vulnerabilities don't have nearly the same effect on a *nix box as they do on Windows (where a browser exploit can result in your machine being pwned even without user interaction). If a browser exploit is utilized in Linux, the most it can do is affect the /home directory. And if you have a MAC or RBAC module enabled, it won't even be able to do that.

Hi chronomatic,

ClamAv and BidDefender have Linux oriented signature based scanners + maybe even some heuristic scanning - I haven't used them much, but there are Linux AV malware out in the wild - we just don't hear much about them because:
1) Windows gets most of the malware action - its a swiss cheese design for an OS
2) Any Linux malware requires a lot more expertise, and to reveal a problem at a company it may be too embarassing, so we tend to hear it after the fact

The term malware is a general term that applies to a lot of bad intentioned software and it most certainly does apply to rootkits - like the misuse of the Sony rootkit to enforce DRM on CD recordings. The techniques are intended as malware.

If you are infected with a rootkit - it is NOT the LEAST of your problems, but quite the opposite!!!

I did explain that infections can occur from within a network via so-called trusted agents that use USB flash drives that they are not aware of compromised files on it - so, layering is the POINT - to protect your data at all costs from compromise - and doing the right thing by backups, etc. Whatever it takes to protect your system.

You don't know with 100% certainty whether a malicious person does or does not have the means to acquire root access - asserting that they categorically don't is naive!

No matter how good you think your security may be - there is never a last exploit because they are always just around the corner! The push-pull of black-hat vs white-hat has no end-game in sight.

-- Tom

Looks like the 2 Adobe Acrobat Reader 0-day exploits in the wild are Linux related:

Ref: Two Adobe 0-day vulnerabilities (http://isc.sans.org/).

-{ Quote: "
Since the exploits for these vulnerabilities on Linux platform are posted to the Internet, we can just guess that someone will somehow make it work on Windows and use it to spread botnet agents shortly." }-

-- Tom

Nice. But I don't think in practical sense any of us are using Adobe Reader for LINUX... we are more then likely using one of the options available from the repo.