Firewall in Linux: Needed or Not?

Discussion in 'all things UNIX' started by apathy, May 14, 2010.

Thread Status:
Not open for further replies.
  1. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    For years I ran Linux boxen with zero firewall but didn't have ssh enabled.
    If I had anything like vnc enabled it was enabled only for my private virtual network. I have never once seen someone access my boxes so what's your opinion? Firewall or no firewall?
     
  2. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    If you are behind a NAT router, you don't need one, if not you definitely need to enable IP chains either by CLI or via a GUI like GUFW etc.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Depends what you're doing. If your machine is a world-open server of some kind, some sort of access control should be in use. If not, you probably don't have any services listening to external interfaces, so you might not need one.
    Mrk
     
  4. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Only outside connections I ever get are through Dropbox and Transmission(torrent client).

    I may have attempt to setup a firewall that allows my torrents to work properly and allows me to feel somewhat safe.
     
  5. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Correct me if I'm wrong but iptables is there anyway. So firewall rules are ON even if the user does not notice. So there is a firewall and installed by default.

    On servers iptables is there and it's a great tool. Usually there is an addition of an intrusion detection system like Snort and often some other software that makes the management of the iptables rules easier.

    For almost all the desktop distributions I believe default installation includes iptables.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Some distros ship with iptables enabled, others with disabled. The only questions are whether the module is turned on/off and what kind of rules are configured by default.
    Mrk
     
  7. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Sincerely, most of the distros I have used have iptables installed and on with basic rules.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    The basic rule is default deny, but that says nothing about services that need to listen, e.g. ssh, samba etc, in which case the usage of firewall becomes relevant.
    Mrk
     
  9. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Hi NoIos,

    Correction: iptables and netfilter ship with the Linux kernel, but unless you initialize a set of iptables rules after bootup (hopefully before you turn on your router), then, in effect, it is as if there is no firewall between the router and your computer, although, there may be a firewall implemented by the router between it and the Internet.

    -- Tom
     
  10. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Ok, although most of those "risky" services are off or they don't "face" the outside world for the default desktop installations, I just wanted to point with my posts that a firewall exists and it's there. So the initial question of this thread gets a reply: You don't have to install a firewall specially on desktop distros because there is one already there.
    They just have to use it. There are GUIs that make this easier but the firewall is there and it's powerful.
     
  11. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Hi, I appreciate this. I believe most of the distros initiate iptables with some basic rules, so I think this is not the case. But please provide any more infos you have or examples. I'll be glad to learn more and get informed. Thanks.
     
  12. Many distros ship with iptables installed but not enabled by default. On laptops or anything else not behind a NAT router, I'd enable it.
     
  13. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    The way I see it is that the iptables have to first be 'engaged' so to speak. Check with the command sudo iptables -nL. If you get a whole lot of entries they are 'engaged' :)
    Chain INPUT (policy DROP)
    target prot opt source destination
    ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
    ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
    ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
    ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
    ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
    ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
    ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
    ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
    ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
    ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
    ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
    ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
    ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
    ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
    ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0

    Chain ufw-after-forward (1 references)
    target prot opt source destination
    etc.etc..........

    And for settings you made eg.
    sudo ufw status
    Status: active

    To Action From
    -- ------ ----
    135,139,445/tcp DENY Anywhere
    137,138/udp DENY Anywhere
    22 DENY Anywhere
     
  14. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Thanks Ocky. I agree with your post, although I have to admit that I don't understand the "engaged" thing. If the iptables module is loaded then I think iptables works.

    lsmod | grep ip_tables
    and then
    iptables -L

    should be the proof. Am I wrong?
     
  15. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    They are enabled by default, but all traffic is allowed. However there aren't any listening services running by default that could accept remote connections, so all ports are effectively closed, even with iptables allowing all traffic.

    That's the way I see it. :)
     
  16. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    ok, I agree. You've described the situation ( most of the users will face with a default installation of the most distros ) perfectly.
     
  17. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    I am still in the process of setting up samba to enable file sharing on my lan between the linux box and my windows pc. If I enable ufw, I cannot access my ubuntu folder.

    What do I have to do to allow my lan to go through?
    I am behind a router for internet access - so what exactly is the risk when the firewall is not enabled?
     
  18. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Last edited: May 15, 2010
  19. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    from control center you can install gufw and you get the gui mode for firewall

    for samba

    -http://www.youtube.com/watch?v=89hjWOb8qmY-

    -http://www.youtube.com/watch?v=F9aLvoH4-BQ-
     
    Last edited by a moderator: May 15, 2010
  20. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    I have now successfully installed samba and can see the my linux folder in windows and vice versa. UFW is enabled but incoming and outgoing is allowed. Under Rules it says: 4662 tcp allow in and 4672 udp allow in.

    Is this how it should be or do I need any other rules?

    the whole lan is behind a router.
     
  21. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    Install gufw which makes it easier, deny all except the port you wish to use for torrent or inbound, allow all outbound.
     
  22. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Sorry, should have been clearer o_O
    I have already installed the gui and the current setting mentioned is copied straight from the gui.
    I am not using torrents, so currently tcp and udp are open on two ports. I am afraid in windows I never went so far as to specify port rules.
     
  23. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Try denying all ports.
     
  24. tlu

    tlu Guest

    There is a new alternative called ufw-frontends also available from a ppa. Looks good compared to gufw although I haven't tried it.
     
  25. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    OP,

    Open a terminal and type:

    Code:
    sudo netstat -tpvnl
    If you see under "Local Address" a 0.0.0.0 entry, then you need a firewall. If not, then you do not need a firewall as you have no listening services. I know that Ubuntu ships with no listening services by default.
     
Loading...
Thread Status:
Not open for further replies.