How can I get a Firewall for Linux???

I finally got 9.04 installed and i forgot how I got the firewall I had in the last version. What is an easy to set up firewall for Ubuntu

 

Open the Terminal and type: sudo ufw enable

You're done.

 

Thanks. But now it seems like the internet is constantly trying to connect. Oh and the firewall icon is not appearing.

 

There's no icon. All ufw configuration is done via command line.

IIRC the fwbuilder package adds a GUI frontend to ufw, but I've never found the need to use it, so I can't tell you much about it.

 

The firewall is installed by default, it's a kernel module called iptables.
In Ubuntu, it's not running by default, as the default install has no services listening to the external world. You can activate it using command line or go for a frontend like gufw.
Mrk

 

You're kidding right? So virtually all Ubuntu users are unsuspectingly going on to the web naked, without their firewall running?

 

Kidding, no. Naked, why naked? You don't have services listening, so why do you need a firewall. And if you have services listening, for instance p2p apps, then the ports will have to be open even if you use a firewall, so it really does not make any difference.

Why do you need firewall if all your ports are closed?

Mrk

 

Missed that part.

But I believe in PCLOS2009.1 at least. The default is ShoreWall installed & running.

 

The thing about firewalls is that Windows has scared many people into thinking that one is absolutely necessary. It's not. If you know how to manage ports and services properly (and Linux leaves them closed by default), a firewall is probably only as necessary as an antivirus.

 

I for one wouldn't want a firewall running, I am behind a router and therefore don't need any redundant filtering.

 

sudo ufw enable
sudo ufw default deny

https://wiki.ubuntu.com/UbuntuFirewall
https://wiki.ubuntu.com/UbuntuFirewallSpec

and

https://help.ubuntu.com/9.04/serverguide/C/firewall.html

The created rules can be viewed with

sudo iptables -L

 

Firewall... umm can't remember the last time I needed one in ubuntu...

But then again... if your not running "ANYTHING" that would require you to, no need to worry

Cheers.

 

If you are not running some form of iptables rules, and you are not using a hardware router w/firewall (setup to drop unrequested packets), then no packets will be dropped - i.e. you are running naked on the Internet - not that it will make you a target by malware looking for vulnerable Windows systems. You will be vulnerable to Linux oriented rootkits and other malware, e.g. malformed packets which follow up by dropping their payload and stealthing their presence on your system. Best to run the following iptables rules even if your router has good firewall protection as a part of a security strategy that is multi-layered to protect your computer.

For ubuntu, I recommend the restricted Beginners' iptables scripts at:
HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]. Note: Read all of the pages of the thread.

Or, you can chose to download and install Firestarter and set it up to boot on power up.

-- Tom

 

Hey Tom,

You do make a good point. The guide looks good. Interesting pointers.

Cheers,
fluxgfx

 

I don't know if it's ShoreWall; it's under Control Center. By "default" "Everything (no firewall) is enabled. I've modified the settings a bit, even though I'm sure it's not necessary because I'm behind a router, but I do it for fun. It's also set to warn if someone attempts to access services or intrude the computer, this latter setting of which I believe is set as default.

 

Hi wat0114,

Shorewall firewall is usually used for networks rather than personal computer firewalls given that it can handle zones.

You should check your router to see how well stealthed it is, by visiting nmap-online.com to conduct a few tests, i.e. your router (every power-on) will probably get a new IP address from DHCP if that is how you have it setup rather than with a static IP address.

When I had FiOS installed, I had to do a bit of work to stealth my router, but the doc was good and I soon found most all of the loopholes. My router uses the real-time embedded Linux known as Buzybox with enhancements made by the ISP. Buzybox has had a lot of firmware updates since I got the service installed, but no updates so far from the ISP.

-- Tom

 

If something malicious were to be installed, wouldn't a firewall be nice to prevent any incoming connections to be established?

Also, isn't firewall code more tested against network attacks than the kernel itself?

 

Hi Tom,

my router comes up stealth on all but 113, which is closed. That's good enough for me My ISP tends to never change my router's WAN-side ip address; it has stayed the same for 8 months after our hook-up. I've also safely disabled a few of the daemons/services from starting up. Maybe a few few more later when I take the time to look, as I'm still well immersed in "learning mode" with Linux.

 

Thanks got the UFW firewall enabled. Went to the shields up and got all green but failed on ping.

 

If one really wanted to... they could setup a firewall box running only the iptable and set it up. Very easy to do and implement changes if needed via the command line. I guess my old PII is doing the job all port shown as filtered. One could potentially setup the UPNP service on the box to allow certain programs to make use of the request to open ports when needed but thats up to you.

 

How exactly would a malformed packet drop its payload on my Linux box? It would not have write access to any root directory in order to do so. At any rate, If you wanted to ensure that such malformed packets wouldn't have any chance at all, you can edit /etc/sysctl.conf and add:

net.ipv4.icmp_echo_ignore_broadcasts=1 (stops bogus icmp packets)
net.ipv4.icmp_ignore_bogus_error_messages=1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 0 (stops forwarding)
net.ipv4.conf.all.accept_source_route=0 (stops spoofed packets)

Secondly, I am not aware of any Linux malware that is a threat in the wild. If you have examples, please elucidate.

It's redundant to run iptables locally when NAT'ed behind a dedicated firewall that blocks all incoming packets. All you are doing is wasting memory.

I do think it's a good idea to configure IPtables to block all incoming packets IF you are not behind a hardware firewall. However, if someone is an advanced enough user to know how to harden a box (turn off all listening services, etc.) then I am not going to complain if they don't run a firewall at all, especially if the machine is a desktop box.

I am not trying to brush off security here. My Fedora box is essentially a fortress made of concrete and steel (SELinux is enabled, it's running behind an iptables hardware firewall, has all listening services turned off, has no suid binaries, and achieves a perfect "passed" rating on level 4 of sectool).

The most important thing an average desktop user can do is twofold:

1) Never run as root, especially while connected to the Internet
2) Always install all software from the distro repositories.

 

So I thought, but a look in PCC shows no boxes checked. But neither do I see shorewall running in KDE system guard, KCC service manager, or PCC services.

 

Interesting nothing is enabled in your setup, because I know that in two separate installs (different machines) Everything (no firewall) is enabled for me

 

On my 2007 installs, the no firewall option was always checked off, and this was the first time I opened up the firewall settings in 2009. I am behind a router/firewall and just assumed it was checked off. Oh well, it is now. I think I will post this over at the PCLOS forum to see if anyone else experienced this.

Edit: Of course, the forum seems like its down right now.

 

Well said. I fully agree with your post.