Are there any frontends around that resemble the Windows Firewall functionality? Mainly: Simple popup per program access request (not floods of them). Predefined rules for public (airport) or private (home) networks and asking you to choose said profile when a new connection is detected. I'm mainly looking for something that would be simple to use for a travelling laptop.
GUFW is the easiest one to use but it is not as simple as what Windows provides at all. edit: I don't know what distro you're using but (and you probably already know this) there isn't really too great a need to use a Firewall since there are no ports open by default.
Without a firewall you'll respond to ping. With one you don't appear to be there at all. Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-04-28 10:55 CDT NSE: Loaded 63 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 10:55 Scanning 172.16.1.35 [8 ports] Completed Ping Scan at 10:55, 2.01s elapsed (1 total hosts) Nmap scan report for 172.16.1.35 [host down] NSE: Script Post-scanning. Read data files from: /usr/pbi/zenmap-i386/share/nmap Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds Raw packets sent: 16 (640B) | Rcvd: 0 (0B) It's your machine and whether or not you run a firewall or not is your business, but I wouldn't connect to the net without one in place.
Hmm, no, not necessarily. If he's behind a NAT router he will be "stealthed". Also, again, in many distros, there are no open ports. No open ports, no getting in really. And as far as outbound traffic, well, no malware to call home, no need really to control outbound traffic (unless you want strict control over even legit programs). If I remember correctly, he is behind a pretty hardened router, therefore a software firewall (which I'm assuming you're referring to), is rather pointless unless, again, you wish to control outbounds even with a clean system.
There's a reason Ubuntu doesn't have one by default. Who cares if you respond to a ping? The whole "Stealth" vs "Closed" thing... last time I was in IRC one of the pentesters had a very funny rant about how idiotic it all is. That, and over 70% of users are behind routers.
Which is not the case with OP. The results from the nmap scan I posted were from the OpenBSD pf firewall.
Can you explain why it matters whether a port is stealthed as opposed to closed? edit: And I know what both do. Closed rejects the packet and stealthed drops it. I don't see any significant different in terms of security.
Please feel free to explain why you think that dropping a packet is more secure than rejecting it. Is it actually going to make your system harder to hack? Really, do tell.
Umm. Re "legit" programs, I think it's worth noting that Skype opens up a high port (something in the 50k range), and its functionality is not impaired by blocking that port. Not all (semi-)legitimate programs can be trusted not to do something stupid.
I think the whole stealth vs closed debate is about people scanning your ports not finding anything to scan instead of seeing the ports and being told "no", by the firewall. The general consensus was that if a hacker sees nothing, they won't keep trying. It really does not matter in terms of one being more secure than the other. if they can't get in, they can't get in. Plus there are far uglier things to worry about than someone using a port scanner on you (which basically happens constantly as long as you're connected to the net, you just don't see it unless you have your firewall configured to tell you about them.
Opening a port in that range isn't a big deal, plus it gets closed again when the program assigned to it is shut down. Skype picks a random port upon installation, and you can choose to only open ports 443 and 80. Also, you're probably blocking incoming TCP and not outgoing, as that would definitely cause issues. There are only a handful of "dangerous" ranges.
When you consider that: 1) Any listening service on a port will respond 2) You can only stealth a closed port it starts to seem a bit silly to go through any trouble at all to do this. If the port is stealthed they won't see it and if the port is closed they can't really do a hell of a lot to it anyways. If there's a listening port they know you're there. A hacker typically is not going to break through a closed port they're going to try to circumvent/ get in through an open port or by hijacking a connection. I mean, sure, if all it takes is the push of a button go for it. But... it's really not providing a hell of a lot and while I'm not advocating to disable it (I run behind a router with all ports stealthed) I don't see there being a big difference. It's really a lot of hype about something that's only a bit better. But if anyone like jitte has some new information on the subject they can feel free to bring it to the table.
There is no such thing as stealth, if a host does not exist, the attacker will receive a "host unreachable" message. When in the so called stealth the attacker will receive nothing, which means that a firewall is dropping the packets. -http://www.hansenonline.net/Networking/stealth.html
That's true as well. I've heard people talking about having one of the host uncreachable messages sent back instead of no response. That would be interesting. But all of this goes against the default TCP/IP. edit: Anyways, like I said, it's really not worth any hassle whatsoever. I don't think it hurts for a home user (it does if you do some networking stuff... sometimes quite a lot) but I don't really see it saving anyone either. A closed port is not insecure. I think that this idea of "stealthed ports" makes people think otherwise.
Coming back to the OP: any directly relevant answers? From the little I've seen, I don't think there are simple (GUI) frontends for what OP wants. Correct? That they are not needed or may not be needed is also an answer, albeit indirectly, with the caveat that the device won't be used as a server. Is that correct?
Mandriva/Mageia/PCLinuxOS has an interactive firewall GUI that will tell you when you're being scanned and such. You might be able to grab the source and install it on whatever you're running (assuming it can run without the weird Mandriva network manager).
I don't think any of the answers were relevant (no offense) No it won't be used as a server but I was trying to emphasize that it needs to be able to run in an untrusted public environment with potentially hostile users, which is why I wanted a "public" mode, basically a setting I can have that lets my programs have internet access but keeps me protected on a completely untrusted network. Telling me when I'm being scanned is too much information, I'm not interested in such things. Just something that alerts me when a program wants internet access and alerts me to choose a predefined set of rules when a network is connected. I guess I could sacrifice the latter request if the firewall was permanently in a "public" state, which I guess most Linux firewalls might be?
Nope, I don't know of any that function like that. I would say that if you have strong outbound rules that only allow services you use and default deny incoming, then you would be good in a public or private place. If you had services such as Samba or any kind of server running on this machine, I would want to disable them when I was on a public wifi. Perhaps change those services to turn on manually instead of automatically at startup.
Yeah, I saw that when I did a search before I posted. Unfortunately the flash videos don't make it look very simple at all and the 90's UI isn't the greatest