Firewall in Linux: Needed or Not?

[apathy]

For years I ran Linux boxen with zero firewall but didn't have ssh enabled.
If I had anything like vnc enabled it was enabled only for my private virtual network. I have never once seen someone access my boxes so what's your opinion? Firewall or no firewall?

[linuxforall]

If you are behind a NAT router, you don't need one, if not you definitely need to enable IP chains either by CLI or via a GUI like GUFW etc.

[Mrkvonic]

Depends what you're doing. If your machine is a world-open server of some kind, some sort of access control should be in use. If not, you probably don't have any services listening to external interfaces, so you might not need one.
Mrk

[apathy]

Only outside connections I ever get are through Dropbox and Transmission(torrent client).

I may have attempt to setup a firewall that allows my torrents to work properly and allows me to feel somewhat safe.

[NoIos]

Correct me if I'm wrong but iptables is there anyway. So firewall rules are ON even if the user does not notice. So there is a firewall and installed by default.

On servers iptables is there and it's a great tool. Usually there is an addition of an intrusion detection system like Snort and often some other software that makes the management of the iptables rules easier.

For almost all the desktop distributions I believe default installation includes iptables.

[Mrkvonic]

Some distros ship with iptables enabled, others with disabled. The only questions are whether the module is turned on/off and what kind of rules are configured by default.
Mrk

[NoIos]

Quote:

Originally Posted by Mrkvonic

Some distros ship with iptables enabled, others with disabled. The only questions are whether the module is turned on/off and what kind of rules are configured by default.
Mrk

Sincerely, most of the distros I have used have iptables installed and on with basic rules.

[Mrkvonic]

The basic rule is default deny, but that says nothing about services that need to listen, e.g. ssh, samba etc, in which case the usage of firewall becomes relevant.
Mrk

[lotuseclat79]

Quote:

Originally Posted by NoIos

Correct me if I'm wrong but iptables is there anyway. So firewall rules are ON even if the user does not notice. So there is a firewall and installed by default.

On servers iptables is there and it's a great tool. Usually there is an addition of an intrusion detection system like Snort and often some other software that makes the management of the iptables rules easier.

For almost all the desktop distributions I believe default installation includes iptables.

Hi NoIos,

Correction: iptables and netfilter ship with the Linux kernel, but unless you initialize a set of iptables rules after bootup (hopefully before you turn on your router), then, in effect, it is as if there is no firewall between the router and your computer, although, there may be a firewall implemented by the router between it and the Internet.

-- Tom

[NoIos]

Quote:

Originally Posted by Mrkvonic

The basic rule is default deny, but that says nothing about services that need to listen, e.g. ssh, samba etc, in which case the usage of firewall becomes relevant.
Mrk

Ok, although most of those "risky" services are off or they don't "face" the outside world for the default desktop installations, I just wanted to point with my posts that a firewall exists and it's there. So the initial question of this thread gets a reply: You don't have to install a firewall specially on desktop distros because there is one already there.
They just have to use it. There are GUIs that make this easier but the firewall is there and it's powerful.

[NoIos]

Quote:

Originally Posted by lotuseclat79

Hi NoIos,

Correction: iptables and netfilter ship with the Linux kernel, but unless you initialize a set of iptables rules after bootup (hopefully before you turn on your router), then, in effect, it is as if there is no firewall between the router and your computer, although, there may be a firewall implemented by the router between it and the Internet.

-- Tom

Hi, I appreciate this. I believe most of the distros initiate iptables with some basic rules, so I think this is not the case. But please provide any more infos you have or examples. I'll be glad to learn more and get informed. Thanks.

Many distros ship with iptables installed but not enabled by default. On laptops or anything else not behind a NAT router, I'd enable it.

[Ocky]

Quote:

Originally Posted by NoIos

Hi, I appreciate this. I believe most of the distros initiate iptables with some basic rules, so I think this is not the case. But please provide any more infos you have or examples. I'll be glad to learn more and get informed. Thanks.

The way I see it is that the iptables have to first be 'engaged' so to speak. Check with the command sudo iptables -nL. If you get a whole lot of entries they are 'engaged'
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references)
target prot opt source destination
etc.etc..........

And for settings you made eg.
sudo ufw status
Status: active

To Action From
-- ------ ----
135,139,445/tcp DENY Anywhere
137,138/udp DENY Anywhere
22 DENY Anywhere

[NoIos]

Thanks Ocky. I agree with your post, although I have to admit that I don't understand the "engaged" thing. If the iptables module is loaded then I think iptables works.

lsmod | grep ip_tables
and then
iptables -L

should be the proof. Am I wrong?

[Ocky]

They are enabled by default, but all traffic is allowed. However there aren't any listening services running by default that could accept remote connections, so all ports are effectively closed, even with iptables allowing all traffic.

That's the way I see it.

[NoIos]

Quote:

Originally Posted by Ocky

They are enabled by default, but all traffic is allowed. However there aren't any listening services running by default that could accept remote connections, so all ports are effectively closed, even with iptables allowing all traffic.

That's the way I see it.

ok, I agree. You've described the situation ( most of the users will face with a default installation of the most distros ) perfectly.

[beethoven]

Quote:

Originally Posted by Mrkvonic

The basic rule is default deny, but that says nothing about services that need to listen, e.g. ssh, samba etc, in which case the usage of firewall becomes relevant.
Mrk

I am still in the process of setting up samba to enable file sharing on my lan between the linux box and my windows pc. If I enable ufw, I cannot access my ubuntu folder.

What do I have to do to allow my lan to go through?
I am behind a router for internet access - so what exactly is the risk when the firewall is not enabled?

[Ocky]

Did you allow Samba ? sudo ufw allow Samba
(Or with Gufw in the repos.)

https://help.ubuntu.com/community/SettingUpSamba

[mack_guy911]

from control center you can install gufw and you get the gui mode for firewall

for samba

-http://www.youtube.com/watch?v=89hjWOb8qmY-

-http://www.youtube.com/watch?v=F9aLvoH4-BQ-

[beethoven]

I have now successfully installed samba and can see the my linux folder in windows and vice versa. UFW is enabled but incoming and outgoing is allowed. Under Rules it says: 4662 tcp allow in and 4672 udp allow in.

Is this how it should be or do I need any other rules?

the whole lan is behind a router.

[linuxforall]

Quote:

Originally Posted by beethoven

I have now successfully installed samba and can see the my linux folder in windows and vice versa. UFW is enabled but incoming and outgoing is allowed. Under Rules it says: 4662 tcp allow in and 4672 udp allow in.

Is this how it should be or do I need any other rules?

the whole lan is behind a router.

Install gufw which makes it easier, deny all except the port you wish to use for torrent or inbound, allow all outbound.

[beethoven]

Sorry, should have been clearer
I have already installed the gui and the current setting mentioned is copied straight from the gui.
I am not using torrents, so currently tcp and udp are open on two ports. I am afraid in windows I never went so far as to specify port rules.

[linuxforall]

Try denying all ports.

[tlu]

Quote:

Originally Posted by linuxforall

Install gufw which makes it easier, deny all except the port you wish to use for torrent or inbound, allow all outbound.

There is a new alternative called ufw-frontends also available from a ppa. Looks good compared to gufw although I haven't tried it.

[chronomatic]

OP,

Open a terminal and type:

Code:

sudo netstat -tpvnl

If you see under "Local Address" a 0.0.0.0 entry, then you need a firewall. If not, then you do not need a firewall as you have no listening services. I know that Ubuntu ships with no listening services by default.