LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

The current development kernel is...linux-next?

Notes on the Viacom ruling

LWN.net Weekly Edition for July 3, 2008

More DTrace envy

LWN.net Weekly Edition for June 26, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Ubuntu and firewall

Ubuntu and firewall

Posted Oct 3, 2006 18:45 UTC (Tue) by oak (subscriber, #2786)
Parent article: Mark Shuttleworth interview (Linux Format)

I think one of the most disappointing things in Ubuntu is that it doesn't
have firewall by default. Even Windows nowadays has a firewall!

Assuming that whoever happens to install server software (e.g. because he
saw an article in Linux Format about having your own www-server...) knows
that he should install also firewall is a bit too much. Also, how user
would know what software (games) he installs will also listen to network
connections?

(Log in to post comments)

Ubuntu and firewall

Posted Oct 4, 2006 2:13 UTC (Wed) by drag (subscriber, #31333) [Link]

Well Ubuntu does come with a firewall. It's just disabled. All Linux distros have one and they've had it for a long long time.

It's called 'iptables'. Of course the configuration is a bitch. So I suppose you can say that it's not a firewall unless configured to do so.

HOWEVER.. A (enabled) firewall can actually lower your security if you don't need it. A bit counter intuative, but let me explain. The proof goes like this:

Part A: A peice of security of not insignificant size contains bugs, this can't be avoided. Of these bugs a certain percentage of them will be security flaws.

Part B: Firewalls are built using fairly complex code from both kernelland and userland.

Conclusion: Firewalls almost certaintly contain a unknown amount of security flaws.

So in other words.. a Ssh server running by itself will be more secure then a ssh server running with a firewall. For the most part. It's logical.

In MS-Windows land a firewall is almost nessicary for decent security of course. This is because XP and friends have services that listen on the network and if you try to disable them they may break stuff and it's a PITA. Also it's nice to have outgoing filtering because you can't trust the programs you run in Windows not to try to betray you. Spyware, viruses, adware, programs attempting to access internet stuff for no descernable reason, etc etc.

This isn't a problem with Linux (yet), but I suppose outgoing firewalls would be nice to protect yourself against he odd script that may try to get executed due to some random browser vunerability or something. However if they do comprimise your account in Ubuntu all they have to do is issue a 'sudo' and then they can get root. Once root is gone then all the firewall installed on your machine isn't going to help you.

So it's not realy _that_ usefull.

Of course firewalls can be used to harden services. Like using a firewall to do packet filtering to protect your Apache service from a DOS'ing. But that is advanced stuff and may not be that appropriate for a regular Desktop OS.

A more typical use would be like something on a mobile network, or untrusted network, were you can run services, but deny access to them easily via your firewall. Then setup a VPN to allow trusted users to access your services. Like running a SAMBA server on a public wifi connection.

Or maybe turn on the firewall while your out and about and turn it off when your back at home.

For servers having a seperation machine for a firewall would be much better...

But if you want a good desktop firewall for Linux that would be easy enough to install (apt-get I beleive) and use for most users.
http://www.fs-security.com/docs/introduction.php#features

Pretty snazzy.

Ubuntu and firewall

Posted Oct 5, 2006 9:41 UTC (Thu) by ayeomans (subscriber, #1848) [Link]

Not sure if this is still true. It ceertainly used to be the case that you could turn off all listening services. But they are coming back into fashion. My stock Ubuntu system is listening on four ip ports by default, three to do with printing, even though I don't have a printer connected:

4351/tcp python /usr/sbin/hpssd
4325/tcp /usr/sbin/hpiod
23974/tcp /usr/sbin/cupsd
3497/udp dhclient3 (for eth0)

If it wasn't for the fact that I'm behind a hardware firewall, I'd feel a bit uneasy about advertising these on the Internet. So a firewall that restricts access to local subnet would seem a good idea.

Ubuntu and firewall

Posted Oct 6, 2006 3:19 UTC (Fri) by nlucas (subscriber, #33793) [Link]

You forgot to include the addresses they are binding to.

Except for dhclient3 (which obviously is using an external connection to your dhcp server) they are all bound to localhost (unless you configured them differently).

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.