How can I get a Firewall for Linux???

Discussion in 'all things UNIX' started by cheater87, Apr 27, 2009.

Thread Status:
Not open for further replies.
  1. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    I finally got 9.04 installed and i forgot how I got the firewall I had in the last version. What is an easy to set up firewall for Ubuntuo_O
     
  2. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Open the Terminal and type: sudo ufw enable

    You're done.
     
  3. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Thanks. But now it seems like the internet is constantly trying to connect. :( Oh and the firewall icon is not appearing.
     
  4. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    There's no icon. All ufw configuration is done via command line.

    IIRC the fwbuilder package adds a GUI frontend to ufw, but I've never found the need to use it, so I can't tell you much about it.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    The firewall is installed by default, it's a kernel module called iptables.
    In Ubuntu, it's not running by default, as the default install has no services listening to the external world. You can activate it using command line or go for a frontend like gufw.
    Mrk
     
  6. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    You're kidding right? So virtually all Ubuntu users are unsuspectingly going on to the web naked, without their firewall running?
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Kidding, no. Naked, why naked? You don't have services listening, so why do you need a firewall. And if you have services listening, for instance p2p apps, then the ports will have to be open even if you use a firewall, so it really does not make any difference.

    Why do you need firewall if all your ports are closed?

    Mrk
     
  8. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Missed that part.

    But I believe in PCLOS2009.1 at least. The default is ShoreWall installed & running.
     
  9. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    The thing about firewalls is that Windows has scared many people into thinking that one is absolutely necessary. It's not. If you know how to manage ports and services properly (and Linux leaves them closed by default), a firewall is probably only as necessary as an antivirus.
     
  10. Arup

    Arup Guest

    I for one wouldn't want a firewall running, I am behind a router and therefore don't need any redundant filtering.
     
  11. tlu

    tlu Guest

  12. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Firewall... umm can't remember the last time I needed one in ubuntu...

    But then again... if your not running "ANYTHING" that would require you to, no need to worry ;)

    Cheers.
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    If you are not running some form of iptables rules, and you are not using a hardware router w/firewall (setup to drop unrequested packets), then no packets will be dropped - i.e. you are running naked on the Internet - not that it will make you a target by malware looking for vulnerable Windows systems. You will be vulnerable to Linux oriented rootkits and other malware, e.g. malformed packets which follow up by dropping their payload and stealthing their presence on your system. Best to run the following iptables rules even if your router has good firewall protection as a part of a security strategy that is multi-layered to protect your computer.

    For ubuntu, I recommend the restricted Beginners' iptables scripts at:
    HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]. Note: Read all of the pages of the thread.

    Or, you can chose to download and install Firestarter and set it up to boot on power up.

    -- Tom
     
  14. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Hey Tom,

    You do make a good point. The guide looks good. Interesting pointers.

    Cheers,
    fluxgfx
     
  15. wat0114

    wat0114 Guest

    I don't know if it's ShoreWall; it's under Control Center. By "default" "Everything (no firewall) is enabled. I've modified the settings a bit, even though I'm sure it's not necessary because I'm behind a router, but I do it for fun. It's also set to warn if someone attempts to access services or intrude the computer, this latter setting of which I believe is set as default.
     

    Attached Files:

  16. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Hi wat0114,

    Shorewall firewall is usually used for networks rather than personal computer firewalls given that it can handle zones.

    You should check your router to see how well stealthed it is, by visiting nmap-online.com to conduct a few tests, i.e. your router (every power-on) will probably get a new IP address from DHCP if that is how you have it setup rather than with a static IP address.

    When I had FiOS installed, I had to do a bit of work to stealth my router, but the doc was good and I soon found most all of the loopholes. My router uses the real-time embedded Linux known as Buzybox with enhancements made by the ISP. Buzybox has had a lot of firmware updates since I got the service installed, but no updates so far from the ISP.

    -- Tom
     
  17. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    If something malicious were to be installed, wouldn't a firewall be nice to prevent any incoming connections to be established?

    Also, isn't firewall code more tested against network attacks than the kernel itself?
     
  18. wat0114

    wat0114 Guest

    Hi Tom,

    my router comes up stealth on all but 113, which is closed. That's good enough for me :) My ISP tends to never change my router's WAN-side ip address; it has stayed the same for 8 months after our hook-up. I've also safely disabled a few of the daemons/services from starting up. Maybe a few few more later when I take the time to look, as I'm still well immersed in "learning mode" with Linux.
     
  19. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Thanks got the UFW firewall enabled. :) Went to the shields up and got all green but failed on ping.
     
  20. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    If one really wanted to... they could setup a firewall box running only the iptable and set it up. Very easy to do and implement changes if needed via the command line. I guess my old PII is doing the job :) all port shown as filtered. One could potentially setup the UPNP service on the box to allow certain programs to make use of the request to open ports when needed but thats up to you.
     
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    How exactly would a malformed packet drop its payload on my Linux box? It would not have write access to any root directory in order to do so. At any rate, If you wanted to ensure that such malformed packets wouldn't have any chance at all, you can edit /etc/sysctl.conf and add:

    net.ipv4.icmp_echo_ignore_broadcasts=1 (stops bogus icmp packets)
    net.ipv4.icmp_ignore_bogus_error_messages=1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.ip_forward = 0 (stops forwarding)
    net.ipv4.conf.all.accept_source_route=0 (stops spoofed packets)

    Secondly, I am not aware of any Linux malware that is a threat in the wild. If you have examples, please elucidate.

    It's redundant to run iptables locally when NAT'ed behind a dedicated firewall that blocks all incoming packets. All you are doing is wasting memory.

    I do think it's a good idea to configure IPtables to block all incoming packets IF you are not behind a hardware firewall. However, if someone is an advanced enough user to know how to harden a box (turn off all listening services, etc.) then I am not going to complain if they don't run a firewall at all, especially if the machine is a desktop box.

    I am not trying to brush off security here. My Fedora box is essentially a fortress made of concrete and steel (SELinux is enabled, it's running behind an iptables hardware firewall, has all listening services turned off, has no suid binaries, and achieves a perfect "passed" rating on level 4 of sectool).

    The most important thing an average desktop user can do is twofold:

    1) Never run as root, especially while connected to the Internet
    2) Always install all software from the distro repositories.
     
    Last edited: Apr 27, 2009
  22. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    So I thought, but a look in PCC shows no boxes checked. But neither do I see shorewall running in KDE system guard, KCC service manager, or PCC services.
     

    Attached Files:

  23. wat0114

    wat0114 Guest

    Interesting nothing is enabled in your setup, because I know that in two separate installs (different machines) Everything (no firewall) is enabled for me o_O
     
  24. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    On my 2007 installs, the no firewall option was always checked off, and this was the first time I opened up the firewall settings in 2009. I am behind a router/firewall and just assumed it was checked off. Oh well, it is now. I think I will post this over at the PCLOS forum to see if anyone else experienced this.

    Edit: Of course, the forum seems like its down right now.
     
  25. tlu

    tlu Guest

    Well said. I fully agree with your post.:thumb:
     
Loading...
Thread Status:
Not open for further replies.