Guarddog/Firestarter differences

Hi

I'd like to know what are the main differences between guarddog and firestarter.
I'd also like to know which of these 2 firewalls is better for someone who has used Win most of his life, recently turned to Linux (that's right, I'm talking about me ), and has never used another firewall other than the winXP default.
I don't mind spending some time learning, my vacations start tomorrow

 

Hello Hurst,

you don't need a Firewall or a Antivirus if you haven't a Network. Just disable all your Network Services and you are safe, and that's the standard setting with Kubuntu-Ubuntu after Installation.
Here is a good (german only) link:

http://wiki.ubuntuusers.de/Sicherheitskonzepte

 

Danke!

 

I have really started in the past couple of months to advocate firewall usage regardless of the OS and of the number of services available. The reason for this is because many exploits found in Linux and in BSD are DOS that are caused by incorrect handling of packets by the kernel. The firewall would stop any of these packets before they had the chance to hit the kernel.

That being said, Guarddog and Firestarter are the same firewall (iptables). However, they are just different GUIs that make it easier to edit firewall rules without having to learn any of the mombo jombo of iptables so try one and see if you are comfortable with it. If you don't like it, then try the other one.

Cheers,

Alphalutra1

 

Thanks Alphalutra.
I decided to learn about iptables before trying those firewalls...maybe I end up doing all manually.

 

So what if u don,t use one of these FWs? Default handling of packets by linux willl not be enough?

 

There is always the possibility of some app being installed either accidently or improperly configured to accept connections from more then it should thus leaving your pc exposed if that app has any vulnerabilities or you haven't properly secured it. The firewall would prevent this from happening since it would block all incoming connections unless you explicitly allow them to happen.

Also, as I said in the previous post, many vulnerabilities in Os's is how they improperly handle packets (especially IPv6 since it really isn't widely used and is still being worked on and becoming battle tested) If someone were to send you a bad packet, then your computer could crash, or lose your internet connection. Possibly quite annoying and may cause a loss of data if anything is open and not properly saved and recovered. Just possibilities, but none the less, important things that should be prevented at all costs.

Of course you can argue that the firewall is just another layer of code you are exposing to the internet, but there have been very few vulnerabilities in IPtables in the past (the last was in 2002 I think) and pf hasn't had one yet. In comparison, almost all *nixs have had some type of remote DOS attack vulnerability that has been patched of course, but still if you don't get the latest kernel or have a firewall protecting yourself, you have the small chance of being a victim. Better safe then sorry, and the firewall causes negligible impact on performance, especially with the great firewalls for the free OSs that are included automatically (iptables, pf, ipfw, etc.)

Also, these firewalls don't have any application control, so you don't have to worry about popups, just getting them up and keeping state on all outgoing connections and denying anything else, and you should be good to go.

Cheers,

Alphalutra1

 

Thank you Alphalutra1, now i know i'm not crazy. iptables creates a visible policy for me, i never liked the idea of not using it.

If i try something like samba, or use amule, i KNOW nothing is listening, even if i noobconfigure it.

HURST, you won't regret it. Just save some time for it. Go to the website, read Networking Concepts HOWTO, Packet Filtering HOWTO, the others only if your interested (these will get you going).
I liked this Howto also, it gives someone's insight on building rules.
Then you got man pages for completeness, or this big tutorial by Oskar Andreasson. It's on my todo list, so i really don't know how it is. Probably we won't use half of it, but it's supposed to be the best/ one of the best guides.

 

Thanks Alphalutra1! I am not sure but as I understand that FireStarter or any Guard Dog is just a GUI for ip tables. So my Q is that if I don,t install and run any of these FWS, IP tables are not being used bt default?

Sorry if I am not understanding it well.

 

The default is no rules, and everything is allowed. You have to build the rules, save them in a file, and set iptables to load them at boot.

 

And what if I use FireStarter, does it has pre-built rules or rules are made during its configuration or u have to make rules in it after the config?

Thanks

 

Hello,
Another thing you should always do is restrict the range of IPs that can listen to these ports. For example, samba / cups, I always restrict to local addresses, so there are no open ports to the wide world.
Mrk

 

In iptables and samba? I think i read somewhere that samba can restrict also, but i haven't tried samba yet. Can it?

aigle: yes, Firestarter will load its rules in iptables once you finish configuration.

 

Yes, it can. Let's say you use Samba with Vmware, you can add the following lines to /etc/samba/smb.conf :

Code:

bind interfaces only = true
interfaces = vmnet8 vmnet1

to make sure that Samba is only visible from the guest by allowing it to listen only to the virtual interfaces provided by VMware (where vmnet8 is used for NAT and vmnet1 for Host Only).

 

Thanks Pedro!

 

Hello,

Another example for cups:

In the file /etc/cups/cupsd.conf, you can define to which addresses the cups will listen

For example:

Above this line: Listen /var/run/cups/cups.sock you can define
xxx.xxx.xxx.xxx:631 or perhaps *:631 or anything of the sort. It can be a single IP, subnet, or all addresses.

That way, the port will be open only locally. After configuration, you should run nmap on localhost and other adapters to see that things are configured properly.

Mrk

 

Thank you both. I got it.