Why not enable firewall by default?
Forum: Networking
Topic: Why not enable firewall by default?
started by: chipandrews
Posted by chipandrews on Dec. 03 2004,21:17
It would be nice if DSL came with a personal firewall enabled (IPChains or whatever) so that we wouldn't have to worry about unsafe environments - especially in a CD-based distro where patching is not really an option.Any chance of that happening in an upcoming release? You could always give the option to drop or pinhole the firewall if that is needed later.
Chip
Posted by cbagger01 on Dec. 04 2004,03:41
Not unless someone can figure out how to install ipchains or iptables + a configuration tool and squeeze it into 0.2MB of disk space.It is a minor miracle that they could even fit Firefox into the base cd.
A firewall extension on the other hand is quite doable.
Posted by ke4nt1 on Dec. 04 2004,03:47
There is an iptables.dsl and an rcfirewall.dsl in the repository.No "GUI" , but very workable..
73
ke4nt
Posted by green on Dec. 05 2004,05:00
So, if one is running a live CD, and has no firewall,.... what is the worst thing an intruder can do ?
Posted by cbagger01 on Dec. 05 2004,05:15
Take control of your computer somehow, get "root" priviledges and then issue a "dd" command that erases the entire contents of your hard drive even though you are not booting from it.I'm sure that there are worse things that can happen, but that one is bad enough as it is.
Posted by ke4nt1 on Dec. 05 2004,07:19
I was thinking that once "root" is established, the entire localnet is at risk, .. every computer ..
Best to keep alert as to what "ports" are open on your connected systems..
73
ke4nt
Posted by AwPhuch on Dec. 05 2004,08:12
The rcfirewall.dsl is absolutely brilliant!!It works very very well and is automatic...especially if you have your DSL inside a DHCP network...makes a good stateful connection
Oh and it is capable of making a decent little router!!!!
Brian
AwPhuch
Posted by ke4nt1 on Dec. 05 2004,08:57
| Quote |
| Oh and it is capable of making a decent little router!!!! |
Oh, you MUST share. !!!
Pray Tell !!!
73
ke4nt
Posted by green on Dec. 05 2004,16:42
How do I know what ports are open on my DSL/Linux box?I assume that rcfirewall will let me do what I want once I build the rules.
I am familiar with Cisco PIX firewalls and Cisco routers and switches, so at least the theory i understand, but am sure the syntax would be different.
Would I need a dedicated machine for rcfirewall? And how does it compare with the 'home network' firewall, like D-Link, NetGear, etc? or a software firewall like the one on XP or the various virus protection software packages?
I guess I should have googled rcfirewall before asking these questions. I'll do that now, but please feel free to input your comments. You've woken my interest.
Posted by green on Dec. 05 2004,16:46
By the way: if you Google rcfirewall damnsmalllinux pops up for rcfirewall.dslthought that was cool.....
Posted by roberts on Dec. 05 2004,18:18
To see open ports use: netstat -l
Posted by Chip on Dec. 05 2004,23:39
rcfirewall sounds great but does it work on a machine with only 1 nic? I am only interested in blocking access to the machine, not in creating a new, protected subnet and using DSL as a NAT firewall.Again, something akin to what the "Windows Firewall" does should be sufficient to block all inbound TCP, UDP, and ICMP packets. I see no real reason for egress filtering either in this scenario as trojans/rootkits would not persist between restarts and this is a workstation, not a bastion server.
Chip
Posted by AwPhuch on Dec. 06 2004,00:45
| Quote (ke4nt1 @ Dec. 05 2004,03:57) | ||
Oh, you MUST share. !!! Pray Tell !!! 73 ke4nt |
| Quote |
| ######################################## # -- Advanced Configuration Options -- # ######################################## # ** DO NOT ** modify anything below unless you know what you are doing!! # See online documentation at: < http://projectfiles.com/firewall/config.html > DENY_OUTBOUND="" ALLOW_INBOUND="" BLACKLIST="" STATIC_INSIDE_OUTSIDE="" PORT_FORWARDS="" PORT_FWD_ALL="yes" PORT_FWD_ROUTED_NETWORKS="yes" ADDITIONAL_ROUTED_NETWORKS="" TRUST_ROUTED_NETWORKS="yes" SHARED_INTERNAL="yes" FIREWALL_IP="" TRUST_LOCAL_EXTERNAL_NETWORKS="no" DMZ_INTERFACES="" NAT_EXTERNAL="yes" ADDITIONAL_NAT_INTERFACES="" IGNORE_INTERFACES="" LOGGING="no" REQUIRE_EXTERNAL_CONFIG="no" |
NAT = Firewall/router for internal network right?
I would still use SmoothWall though
Brian
AwPhuch
Posted by AwPhuch on Dec. 06 2004,00:48
| Quote (Guest @ Dec. 05 2004,18:39) |
| rcfirewall sounds great but does it work on a machine with only 1 nic? I am only interested in blocking access to the machine, not in creating a new, protected subnet and using DSL as a NAT firewall. Again, something akin to what the "Windows Firewall" does should be sufficient to block all inbound TCP, UDP, and ICMP packets. I see no real reason for egress filtering either in this scenario as trojans/rootkits would not persist between restarts and this is a workstation, not a bastion server. Chip |
NO it will also create a stateful firewall on itself..which means nothing that didnt originate from the box itself is blocked!
So no traffic or requests out from box = nothing getting in!
Brian
AwPhuch
Posted by ico2 on Dec. 06 2004,17:26
*hates firewalls and would prefer to lose disk contents than put up with using one*
Posted by AwPhuch on Dec. 06 2004,17:34
| Quote (ico2 @ Dec. 06 2004,12:26) |
| *hates firewalls and would prefer to lose disk contents than put up with using one* |
you are kidding right?
Brian
AwPhuch
Posted by ico2 on Dec. 06 2004,17:48
nope, no kidding, they really annoy me.
Posted by cbagger01 on Dec. 06 2004,18:00
Easy solution.Spend $10.00 (w/rebate) and buy a hardware firewall / router on sale during most weeks.
Install hardware firewall / router in between the broadband modem and the PC.
The only drawback is that the hardware firewall is not "application aware" so it can't detect outbound traffic from trojans or spyware but it is much less annoying and doesn't slow down the PC like the Zonealarm crowd.
Also, if you are an advanced user and wish to set up complicated firewall rules you will need to use a software firewall or a more advanced hardware product like a Linksys WRT54G (which runs emedded Linux ARM as it's OS) that lets you ssh in and set up rules from the command line.
Posted by ico2 on Dec. 06 2004,21:11
i just do not like firewalls, there are times when people need to ping you or connect to a specific port for some reason. my data is a price i am willing to pay for lack of irritations 
Posted by chipandrews on Dec. 07 2004,17:03
Well, I installed rcFirewall.dsl and then selected to enable it in the MyDSL menu. I get a nice friendly message telling me that the machine is secured.I then initiate a port scan of the box (yes - from another machine on the network) and it lights up like a Christmas tree - just like before I installed the firewall. Obviously something is not right. Am I missing something? I changed nothing - took the defaults all the way.
Chip
Posted by JoeCA on Dec. 08 2004,05:01
Hummmmmmmmmm. No open ports by default.Installs a firewall. Then claims it lights up like a christmas tree.
Yet nothing posted which ports become open. Like I said hmmmmm.
Posted by ico2 on Dec. 08 2004,09:54
strange, welcome to the forums btw joeca