What's the point of a firewall?

14 replies [Last post]
elodie
Offline
Joined: 01/31/2014

Reading Linux forums I keep getting on the same remarks, usually by newcomers, about how this or that distribution is not perfect because it lacks a default installed firewall.

To me, the idea exposes them for what they are. The firewall functionality is not built out of any kernel binary I know. All relevant distributions come with some sort of repository where they can find graphical interfaces to that firewall functionality. And, now comes the best part: they get to block ports that are not enabled.

Most probably the idiot is me. So please help me understand why a desktop distribution does need such an app?

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

I think it's needed only for complex networks where e.g. services are
accessible from some but not all hosts. For a simple desktop computer,
everything listens only for local connections or isn't installed. (Some
programs imo need a nondefault configuration: OpenSSH shouldn't allow
password authentication.) All uses of firewalls that I know need
system-specific configuration, not a default.

Even if there are services available from other hosts, firewalls of your
router and your ISP might prevent them from being accessed.

(I don't have any professional experience nor qualifications related to
networking.)

ADFENO
Offline
Joined: 12/31/2012

Well,

This is, indeed, a really good subject.

This can be misunderstood as not-useful for the majority of the GNU+Linux users but, let's pretend that Some User One has a GNU+Linux operating system, and that Some User Two has any operating system and is in the same local network as Some User One.

Let's pretend that Some User One must be (that means, he's obliged to do so) running a SSH server, and a SMB server, both running on his operating system. Everything is OK for both users because they have everything that they desired.

Now let's pretend that, by a bit of luck, a black hat hacker or an Internet robot finds the IP address of Some User One's computer. In the case of a black hat hacker, he could try to break the security of the SSH server; as for the Internet robot, this one would just try random stuff gathered from previously infected/invaded victims to break the security of the SSH server.

I don't know for sure why I mentioned the SMB server, but perhaps, depending on which contents the SMB server shares, it's possible for the black hat hacker to get some confidential information about anyone, or even transfer some malicious software to those who joined the network in question.

A firewall, along with an automated banning tool and strong security measures can solve a lot of problems.

With a firewall, Some User One could block connections from people from outside his local network by using the correct classless inter-domain routing notation for his network.

If a firewall is able to, besides filtering ports, also filter the protocols associated to those ports, the situation gets even more secure because the firewall will, most of the times, block a wrong request if its protocol doesn't match the protocol associated to such port.

If the user's computer has an automated banning tool, it'll ban the incoming user automatically if its connection reaches a certain criteria.

Michal Maslowski is indeed right.

My comment (this one) is just based on life experience, not on knowledge or skill about such subjects.

Best regards, ADFENO.
Have a nice day.

elodie
Offline
Joined: 01/31/2014

Being an ignorant means one isn't aware of the said ignorance. Or that person would stop being an ignorant.

ADFENO
Offline
Joined: 12/31/2012

Sorry, did I offend someone by accident?

Or am I misunderstanding your reply?

If I did so, sorry, but I didn't, and I still don't, mean to do so.

Best regards, ADFENO.
Have a nice day.

ssdclickofdeath
Offline
Joined: 05/18/2013

"Now let's pretend that, by a bit of luck, a black hat hacker[...]"

Do you mean "cracker"? http://www.gnu.org/philosophy/words-to-avoid#Hacker

ADFENO
Offline
Joined: 12/31/2012

Thank you very much ssdclickofdeath. :D

This page from the FSF proves to be very useful.

Now that I think about it, I'm getting amused by the way how the meanings of a word or phrase can change even inside subcultures of its main culture.

I'll try to use “cracker” instead of “black hat hacker” when speaking about free software and culture.

Best regards, ADFENO.
Have a nice day.

akifo

I am a member!

Offline
Joined: 12/23/2011

If you aren't running any public server — there is no point in firewall. If you want to keep the only default server (ssh) — just use fail2ban and forget about it.

ZykoticK9
Offline
Joined: 04/07/2011

On Sun, Feb 02, 2014 at 05:29:20PM +0100, name at domain wrote:
> If you aren't running any public server — there is no point in
> firewall. If you want to keep the only default server (ssh) — just
> use fail2ban and forget about it.

you do realize fail2ban utilizes the firwall right?

akifo

I am a member!

Offline
Joined: 12/23/2011

Yep. I mean — there is no point in configuring firewall while using fail2ban. Speaking about desktop, of course.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

The iptables capability which is what the kind of firewall you talk about uses is built into the kernel. Just it isn't set up to deny ports by default in Trisquel.

Trisquel does, however, ship with an Application Level Firewall enabled by default - AppArmor [1]. This protects you if something like Samba or CUPS falls to an external attack by preventing access to files on a different level than GNU/Linux file permissions allow.

The perceived need for IP firewalls in desktop O/Ses seems to have been conditioned by the fact they're essential in a certain well known OS which is derived from a clone of CPM for the 8086.

As you observe closing umanned ports is not a real security benefit as far as typical desktop / laptop use is concerned. However, I run an IP firewall, ufw, not for the port blocking but to rate limit the number of connections per 30 seconds to the SSH port. I also set my computers not to allow password access via SSH. These significantly put up the time for an attack to succeed. I chose this as I routinely use a public WiFi which is misconfigured (no client isolation) and there's another patron who is a Script Kiddie. His eyes get very still and he doesn't blink when people type passwords around him. YMMV.

[1] https://en.wikipedia.org/wiki/Application_level_firewall

antiesnob
Offline
Joined: 08/22/2013

The point is Security and Control.

elodie
Offline
Joined: 01/31/2014

With other words, the firewall is a tool that can do some good to people who know what they are looking for. Who are able to download from the repositories their interface of choice. For the regular user NoScript has far better results, making it more interesting to come preinstalled than a firewall app.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I do not think there is a relation between NoScript, which prevents the execution of some code included in a Web page, and a firewall, which filters connections (from a given application if outgoing or from a given IP address if ingoing) on a given port. As far as I understand, the code in a Web page is downloaded with the Web page using, like the rest of the Web page, the HTPP protocol on the port 80 (by default). The firewall cannot differentiate that code from the rest of the page.

elodie
Offline
Joined: 01/31/2014

Right Magic Banana. Security is for *other* people.