Slashdot Mirror
Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?
An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"
Shorewall is a pretty good iptables configuration tool.
I've used Astaro for years and been very happy with it. It includes many free features (VPN is great) and there are other features you can add for a fee. Sophos purchased it a couple of years ago and still have a very featured free version.
http://www.sophos.com/en-us/pr...
And more user-friendly to set up. It should be available for all decent Linux dists, too.
Unless im mistaken...I may very well be....Firestarter is just an interface to iptables.
K
Comment removed based on user account deletion
PF speaks almost proper english like you and me.
The latest beta of Ubuntu uses kernel 3.13 which does away with iptables. (Which is probably going to confuse tons of admins too. lol.)
I would suggest installing WINE and then running Windows Firewall.
Something based on Windows XP if you value your family's security.
If you are willing to learn how to use a text editor, OpenBSD's pf is a pretty great home firewall. I run it on little Soekris box at home.
You will have a little learning curve, but you'll be getting a real firewall out of it.
The pf documentation is pretty good, and there are a ton of tutorials out there. Calomel.org has what is possibly the best one.
The gufw will do most of what you want. If you need finer control then use the very friendly ufw command line tool. UFW has a great manual page so start there.
I know you've said you're trying to avoid screwing it up, but if you want, the CentOS wiki is pretty good for explaining what and why, and since it's a kernel firewall, it applies to Ubuntu too. In fact, I suspect all other "firewall tools" are basic GUI frontends to iptables. If you are indeed concerned about firewalling (though not quite as concerned as crypto-specialists), you probably at least want to have a go at it manually with some easy to understand notes
When in doubt, try it on a virtual machine of course.
I put together a general, documented, script that I run on all my new installs; comment out any lines you don't need. nixCraft has some notes on restarting the Ubuntu iptables/firewall under what I assume is upstart.
-- "Simplicity is prerequisite for reliability." --Dijkstra
The Bulit in Firewall in Ubuntu UFW https://wiki.ubuntu.com/UncomplicatedFirewall is great, and very straight forward. If you find it not be so, Linux might not be for you.
I can understand trying to wall off Windows from what you can, but with non-Windows you just make sure you only enable services that you want. Use good passwords, lock it down so only what you want running can run, and don't listen to the script kiddies knocking on your door. Crank up the stereo.
I assume your box hangs off a router of some sort? It's probably all you need for a firewall.
"Tongue tied and twisted, just an Earth bound misfit
Mono, BSD based but the UI it is great. Bet NAT/port forwarding interface i've seen.
Can't get any easier with an easy to use web interface
I was going to troll with a 'Linux is so secure it doesn't need a firewall' comment, but a serious poster beat me to it.
Ok, seems like you're trying to do things the windows way, i.e. blocking outbound connections based which application is running. Things are not done that way on Linux. Outbound connections are open and most of us are fine with it.
Many of the posts so far direct the original poster to dedicated firewall appliances or distributions. If I read the summary correctly, the OP is simply looking for a good GUI to manipulate the firewall rules built into the kernel of all modern Linux distributions.
I can't vouch for any of them, but GUI frontends include guardog, lokkit, firestarter, and probably others. They are all in various states of development and maintenance.
Part of what the user wants to do (firewall per app) wasn't possible in the past with iptables (per-gid blocking was easy), but I believe it's now possible. A primitive daemon, called Leopard Flower, seems to offer this functionality: http://leopardflower.sourcefor...
From what I can see, the most promising, integrated, easy-to-use firewalling GUI software going forward is Fedora's firewalld and it's accompanying GUI. I know firewalld is available on Ubuntu (and its command-line interface). I'm not sure about the GUI part. Perhaps someone familiar wit Ubuntu can comment. Here's an article on installing it in Mint, so I assume it's similar in Ubuntu: http://www.linuxbsdos.com/2013...
From what I can see, firewalld and firewall-config hit the sweet spot for most desktop users. I'd never use it on my router, but for a desktop, it works pretty well and is under active development. I imagine it will sport per-application feature soon, if it doesn't already.
I have used Firewall Builder for this and it worked well.
You're making the assumption that all the bad stuff is outside the firewall and nothing evil ever gets in.
An example of how I use my firewall, is I block my email program from making any network connection other than imap/smtp. If it tries to make any other network connection (eg: downloading images from a web server), the firewall blocks it.
Lots of options:
http://www.ipfire.org/
ufw can be installed from apt-get (no gui)
ddwrt runs on many routers and has lots of features... don't need a full PC.
I don't read your sig. Why are you reading mine?
I just jumped into playing with pfsense. It's based on FreeBSD, but it was very easy for me to get in and mess around with. :)
bork bork bork!
Linux's "outbound connections are open" paradigm was designed in the good old days of innocence, before malware grew to current levels and before applications were phoning home.
In today's world, that early innocence is badly misplaced. Third party applications need to be restricted to nothing more than the outbound connections which the user permits.
he wants a global way of configuring which applications have the capability to connect to what servers or open what ports. This is a different meaning of 'firewall' than is used in the Unix world.
AFAIK there's already some capability enforcement prohibiting some programs from accessing the Internet in modern Linux distributions, but, I don't really know how it's configured either.
It is easy to install and set up, the free version does everything you want, and it can even run dns and dhcp for you.
1997 called and wants its comment back...
Loading...
You shouldn't have to read a HOWTO to setup a simple firewall. It should be a "click-click-done" job.
That's the part I actually doubt. All firewalls configured by normal users I've seen in my lifetime were so much of a mess, that they had more holes than a swiss cheese on were so strict they became unusable
I'm also quite surprised about "ranges known to be used by malware, marketers, etc...". If those were really even halfway public knowledge, there would be no malware of "marketing" problem on the Internet.
This one should get his medication, and think his strategy over.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
I haven't had the need to set up a separate firewall since...well since I started using Linux. On Winders, it was essential to have a good 2 way firewall. Never had a Linux computer hacked that I noticed. (have had Windows boxes hacked to the point they'd hardly run.)
i have a bit of a problem comprehending firewall rules (and deploying them). i asked around (just as you did) and got the advice "use fwbuilder". i liked it so much that i ended up writing a python script that parsed its xml files and generated HTML output so that i could clearly see what it was doing.
but, despite admitting that i am not a firewall rules expert, i do have to say that nothing substitutes for actually studying what firewall rules are and understanding them properly. i say that from the position of being a person who, whenever they need firewall rules, does an internet search and cuts/pastes the results successfully into an amalgam that "does the job", but it "does the job" with the concern always being in the back of my mind that i probably completely messed it up...
... you just make sure you only enable services that you want.
I block my email program from making any network connection other than imap/smtp.
Is there an echo in here?
"Tongue tied and twisted, just an Earth bound misfit
You may want to have a look at: https://www.pfsense.org/ Very good option...
This - http://www.fwbuilder.org/
Is been around for ages, is really easy to use and supports a whole bunch of stuff like iptables and pf firewalls.
Untangle is probably the easiest I've come across. The free basic package (Lite) even comes with openvpn: https://www.untangle.com/store/lite-package.html
Just a suggestion. I'm sure someone here will recommend the right solution.
So... https://wiki.ubuntu.com/UncomplicatedFirewall
The UFW command does wonderful things.
...we don't want you to get hurt !
Never had a Linux computer hacked that I noticed. (have had Windows boxes hacked to the point they'd hardly run.)
If this box was supplying connectivity to a LAN of Windows boxes, that would be a different thing. That isn't the case here.
"Tongue tied and twisted, just an Earth bound misfit
Why not take this opportunity to learn how iptables works and how to edit the text-based configuration? The basics are pretty easy - you can figure out how to allow ssh, for example, and get up and running without knowing something like how to set up vpn traffic forwarding.
Isn't part of the point to learn how Linux works? It's not just like Windows, but that can be a plus. Once you get past the "AAH, I DONT HAVE ANYTHING TO CLICK ON" stage, you may just find it's actually easier! Personally, having done both, I'd much rather admin Apache than IIS - and Windows is shifting more towards the Linux paradigm at the server side anyway.
#DeleteChrome
You might consider using a hosts file instead of or in conjunction with. http://winhelp2002.mvps.org/ho...
Firewalling is a windows necessity with nasty shit piggy backing in on exploits in legitimate shit, not so much in Linux, however. If you're using client applications (web browser, email client, etc) then they will only open up sockets when needed and not open ports to receive traffic. And I agree with what I read above: if you know what services you're starting, you don't need a firewall.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
gufw should be fine for what you need. Start by clicking the unlock button to unlock controls.
1. Set firewall policy (dropdowns) to Deny outgoing, Allow incoming. now all unsolicited inbound traffic will be blocked.
**Note: You probably don't need to block outbound traffic. You also don't need to allow inbound smtp/pop/imap just to check your mail - those are outbound connections from your computer to the server. Unless you're serving content, you're probably done here. (Do other computer connect to your computer to get stuff?)
2. If you are providing a service(example ssh access):
Click [Add] button to add an exception. In Preconfigured tab select [Allow] [In] [Service] [SSH], then click [Add]. If the service or application isn't listed (or has been configured to use different ports!) use the simple tab and select [Allow] [In] [TCP] [22].
At this point only the ports/services/applications you've explicitly added will be allowed in.
3. There are two ways to make exceptions to #2:
First you could just make a more complicated rule using the advanced tab to set any of these ip requirements: source, sourceport, destination, destport.
The other way (and probably best for you) is to make another rule to deny untrusted host.
Example: if you didn't trust 10.1.1.1 Click [Add] to start a new rule. Go to advanced tab, check [show extended actions] and set the first number to 1 -- this will make sure your deny rule is the first rule and will come before the allow rule. Now set [Deny] [In] [Don't Log] [Both] from:10.1.1.1 (leave from-port/to/to-port blank). -- this will block 10.1.1.1 from accessing your computer even though other hosts can connect to your SSH (from #2)
done. protip: rtfm, learn tcp/ip. CAPTCHA: barrier
You clearly didn't comprehend. It's not just about enabling the services that you want, but making sure that even if the services behave in unexpected ways you're still covered.
For example, it's not unheard of for updates to suddenly misbehave...
Welcome to Linux except it isn't called Linux anymore the new name is Lennart NT.
All these mean druids are telling you that you have to learn iptables. Too bad they don't know it is about to be replaced by firewalld.
https://fedoraproject.org/wiki...
Yeah, just read all the documentation to educate you about network security and firewalls, and then read all the documentation for all of the front-ends so you can make an educatged decision about which one to use. It's not as if there are other people that know more than you that could advise you out of some fellow-feeling of community or anything. Not in linux-land at least, there you just get blasted for not re-doing all the work for yourself. I'm surprised you didn't demand they write their own version of iptables!
Hi
Good you found Linux and you are trying it.
Some rules what you should know about different Operating Systems - examples about Linux here:
- Linux does not need firewall. Unless you are protecting other computers.
- Firewall is not needed unless you have ports open (listening) what you can not close. On Linux _you_manage_your_computer_ and you can close programs which are listening and you don't like.
- If you have any services you want to protect being accessed from bad/wrong hosts... you have options like tcpwrapper.
So check your ports by running command: sudo lsof -i -Pn
It shows you currently open connections AND ports which are ready to receive traffic from Internet.
If you see ports what you don't want to be listening then identify it and stop. Like this:
smbd 7114 root 26u IPv6 101652 0t0 TCP *:445 (LISTEN)
So you have smbd (Samba) listening TCP port 445, it has PID number 7114 ("sudo kill 7114" to kill it) and it is running as root level.
So - you don't need firewall. Just knowledge how to close unneeded services/programs.
Br, Henri
You're welcome. If you can't figure out iptables, you have no business editing firewalls anyway.
1997 called and wants its comment back...
For machines which are not routers the comment is just as valid now as it was then. If you use a GNU/Linux distribution that takes security seriously then it will not install any externally-visible network services by default. The attack surface in that condition is small enough that installing a firewall won't help much, and might even make matters worse. If you deliberately install any public-facing network services then you need to add matching firewall rules, so again no benefit.
A firewall does help if you install a private network service and forget to bind it to the loopback interface (unless you have one of those systems which automatically install a firewall rule alongside the network service, which totally defeats the purpose of having a firewall). In any event, this only protects against internal incompetence rather than external malice, so is not a necessary part of running a secure system.
Firewalls are useful on routers, and on servers where you want very specific control of what can be accessed from where (such as a DBMS that is only accessible from a single client machine), but for typical Linux-based hosts they add little.
Have you tried Little Snitch? When an app tries to open an outgoing port, it intercepts it and pops up a dialog giving you the option to allow the app to open any port, just that port, just to that target -- and then you can qualify that with once, until reboot, or forever.
You can edit these settings later if you have a reason to.
I've found it to be very useful, and certainly not difficult in any way.
Not affiliated, just a happy customer.
I've fallen off your lawn, and I can't get up.
I've used Zentyal for some time: ubuntu based, powerfull, very easy even if a little canned up (you MUST use the GUI or risk ruining your setup).
Also Untangle is very good, powerfull and easy.
King of simplicity can be ipCop: it's been going for years and is very well made, strong, flexible and easy to use.
Of course you can use Shorewall or even ufw (Uncomplicated Firewall, bundled with ubuntu server), both GUI. Webmin will give you a pretty good front end for shorewall.
I use CentOS for my web servers. I have some still fully functional XP boxes and laptops that I was looking to move over to Linux so I tried Ubuntu. Eh. It was nice.
Then I tried Linux Mint and I like it so much better, especially since it "feels" more like XP than Ubuntu.
Give Mint a try.
(Yes, I know Mint is based on Ubuntu but the UI is certainly different)
You're either doing nothing particularly interesting in which case any consumer appliance will do.
Or you are doing something inherently interesting and should not be a total rube while doing it. In that case, you should be able to deal with the iptables interface or seriously reconsider what you are doing.
There's a little issue of professional responsibility here. You should have enough pride to not want to be a menace to others and willing to do what it takes to ensure that.
A Pirate and a Puritan look the same on a balance sheet.
Defining rules on a program-by-program basis is hard on Linux.
That's sort of embarrassing for a "secure" operating system, right?
The historical reason: filters based on application (as opposed to port) are comparatively slow and complicated. Linux thrives in a server environment, where the threat model is different: on a server, it's a better idea to write extremely restrictive firewall rules that all applications must abide by. Spyware is not much of a threat on a server that allows no outgoing connections except HTTPS to 10.x.x.x.
The feature does exist, in something called "libnetfilter_queue". I haven't seen anything that's usable by Normal People. Folks who want to write their firewalls in C can start here: https://home.regit.org/netfilt...
Because it is no longer updated. I used to use it too, but it doesn't work with the latest stable Debian and its Kernel versions. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
IPTables is by far the best firewall for linux, and its built-in to boot.
If you're iffy on command-line parameters, install Webmin on your system. It gives you a web interface, and the IPTables page makes configuring your firewall relatively newbie-proof.
I, for one, hate IPTables on the command-line, and much prefer the Webmin method. Its what I use on my home server.
Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
I'm a little surprised nobody has mentioned firehol - http://firehol.org/. I've been using it for my simple needs, and it is fabulous. Easy to learn, simple language, great results, and CLI-friendly. (Prior to discovering it, I used guarddog, which I found to be good but which isn't anywhere near as good as firehol.) From the firehol page: FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions).
"As of 2014-01-12, this project is no longer under active development." text. :(
I like GuardDog, but it is no longer updated and doesn't work with the latest Debian/Linux's Kernels when I tried it a couple years ago. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
What if it is a portable machine and wants to use public wireless Internet? Also, what if (s)he wants to block outgoing connections and stuff which hardware firewalls can't do?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Doing a bit of research, the official Ubuntu firewalling utility is ufw, and there is a default GUI for it called gufw. Probably the OP should direct his attention here first.
...on my favorite distro I do have a GUI for the firewall.
On the other hand, my opinion on Ubuntu is "the Windoze of the Linux world", much smoke but no fire.
If standalone, as in replacing your existing router, I've used IPcop, Smoothwall (a little more flexible) and full-blown ClearOS with mail server, antivirus, even the kitchen sink (well, almost).
If on the same machine, I honestly don't know, since I'm currently only running Windows and OSX
I've got better things to do tonight than die.
You want someone two days into a simple desktop linux system to get a consumer appliance?
Surely there should be some simple point-and-click app he can install from the desktop that will prevent basic misbehaviours. The very act of asking here shows that he does indeed have pride enough to want not to be a menace.
No. Well...maybe. Actually, yes. It really just depends.
Firewalls are about keeping things in as well as out. One of the reasons that there are so many problems on corporate networks is that there's often times no firewalls once you get to the LAN. I remember when I was in college the set up in the dorms was dire. People would be sharing things read and write and you'd wind up will all sorts of nasty things on the network, and then there was the malware.
That's fine as long as you are sure there are no bugs in the services you run and the TCP/IP stack, and you keep them all up to date, and you don't mind kiddies hammering on your door 24/7 trying to guess your passwords.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
he wants a global way of configuring which applications have the capability to connect to what servers or open what ports. This is a different meaning of 'firewall' than is used in the Unix world.
AFAIK there's already some capability enforcement prohibiting some programs from accessing the Internet in modern Linux distributions, but, I don't really know how it's configured either.
I simply use an alternate user to arrange this. In my case, it's the Windows games I run via Wine. I don't trust them and I have no need for single-player games to connect to remote servers.
/etc/pam.d/su. I simply add this to the file on its own line: "session optional pam_xauth.so". Now the alternate user "winegames" can open new windows on the X server started by my main user.
So I create a user named "winegames". I run all Windows games as this user. Then I add a simple iptables rule:
iptables -A OUTPUT --match owner --uid-owner winegames -j REJECT
Now nothing run as "winegames" can connect anywhere. A few games will briefly complain that they can't connect to the server so that people who don't care can see my in-game achievements but that's alright. Also, I use REJECT instead of DROP so that the programs get an instant error when they try to connect. If you use DROP they will waste a lot of time waiting for a response that will never come.
Incidentally, if your distro does not provide this, you will need to add a line to your PAM config to allow alternate users to open windows on your X display. For my distro (Gentoo) the file is
It is a miracle that curiosity survives formal education. - Einstein
FreeBSD, but hard to beat Pfsense. It is actually very easy to use.
This will have you up running and understanding. http://www.malibyte.net/iptabl... Do it right.
Use GUFW for the simple rules, and Privoxy to filter the crap that GUFW can't set, both simple to use with a little reading. http://www.privoxy.org/
Really? Android = Linux & it's being torn up faster than windows ever was in the same timeframe in the "top spot", despite all your b.s here on /., that IS fact.
In fact - So much for the typical "Open SORES" bullshit we've heard for YEARS out of you idiots of "Windows != Secure, Linux = Secure" purest CRAP!
Especially now that ANDROID has a top spot, finally, on some platform in smartphones (only 1 reason for it - FREE OS, lowers unit costs, but no other REAL REASON other than that)?
Again - ANDROID OS (a Linux) is proving my thoughts that the MORE ANY OS IS USED, the more APT IT IS TO BE ATTACKED
See... criminals online? They TRULY ARE, just like street pickpockets!
I.E./E.G. - they don't "target crowds of 1" only (like Linux on the desktop - almost non-existent by comparison to Windows' what? Near 95% marketshare there??), they go after BIG crowds (ala train & bus stations, crowded streets, or OTHER throughfares like malls)...
So, now that you've got it on smartphones. you have WORSE ISSUES THAN WINDOWS EVER HAD IN THE SAME TIMEFRAME of existence @ a top most used spot & yes, on a Linux.., fact.
APK
P.S.=> You "penguins" would do a LOT BETTER telling the REAL TRUTH - not your marketing LIES b.s. speak... seriously!
... apk
Most distros will have the rules in a single script, they are really easy to read, modify and understand. I don't understand what good a GUI would do for something as simple and important as a rule-based firewall, GUIs only hides things.
Of the top of my head:
iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p 22 -j ACCEPT
iptables -P INPUT -j DROP
iptables -P OUTPUT -j ACCEPT
iptables -P FORWARD -j DROP
To get a detailed overview of the rules:
iptables -nLv
If you need any simpler, just go with the defaults your distro has to offer, they'll be secure.
Custom electronics and digital signage for your business: www.evcircuits.com
hey mate, if you have a 2nd computer to use for "getting help" spend 1 week going through installing gentoo. you will learn heaps.
https://www.gentoo.org/doc/en/gentoo-x86-quickinstall.xml
gentoo docs are great. the outcome will be you have a very good understanding of how it all works. including some firewall stuff
good luck!
Most desktop Linux distributions that I'm aware of include Mozlla Firefox or a renamed version of Firefox. By default, Firefox downloads and runs third-party JavaScript applications linked from web pages that the user visits. So do Chrome and other renamed versions of Chromium.
IPFilter or PacketFilter on NetBSD. I am a bit redundant since it was already proposed for OpenBSD and FreeBSD, but NetBSD was missing :-)
I must add that BSD are good systems to learn. They take no initiatives and most of the time stick to common Unix tools instead of reinventing the wheel. That means for instance that knowledge acquired on NetBSD can be useful on Linux
What that guy is asking for isn't a simple firewall. Windows firewall can't do that, as far as I recall.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Since Ubuntu Linux and most every other Desktop Linux available in 2014 has an "easy to use", intuitive GUI firewall configuration utility, I an skeptical that any person using Linux, even for the first time would (a) receive space on Slashdot to ask such question, and (b) a question that I consider completely unnecessary if writer is guided by common sense in using the standard and well documented visual Ubuntu Firewall application, and suspiciously naive in not going first to Ubuntu Help center or any person nearby who is not simple-minded in regard technology..
Firewalls are mostly a Windows thing. You don't really need one on a Linux desktop.
You don't even need one on a server either. A server just needs a single rate limiting rule.
That is why Ubuntu ships with no firewall rules.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
pfSense for a simple, easy to use open source firewall or for an full featured community supported firewall, give Untangle a try ...
Just get webmin and use that for everything.
Unless you known exactly what you are doing, what ports you have open and what are the risks of each, you SHOULD USE a firewall... ALWAYS!! no matter if you are using windows, macosx or linux.
IIRC, Ubuntu brings no open port for default, so that is why it don't have a default firewall, but if you start installing programs, specially server programs, you should
configure a firewall in a correct way.
I use a old script called gShield on older machined and fwbuilder on newer ones. I also use custom iptables scripts. If you know a little about networks, building a firewall isn't hard, try it!.
Higuita
iptables fucking sucks and everybody knows it. Heres a nickel kid, get yourself a real firewall. http://www.openbsd.org/faq/pf/...
No, there is not an echo in here. What happens when a mail client gets compromised and there aren't restrictive outbound firewall rules in place on the machine?
I'm philip.paradis, and posting anonymously only because I don't log in on non-personal machines.
https://help.ubuntu.com/community/Firewall
Firewalls are about keeping things in as well as out. One of the reasons that there are so many problems on corporate networks is that there's often times no firewalls once you get to the LAN. I remember when I was in college the set up in the dorms was dire. People would be sharing things read and write and you'd wind up will all sorts of nasty things on the network, and then there was the malware.
Yes, but I presume you are talking about Windows machines which run an SMB/CIFS server out of the box. Most GNU/Linux distributions rightly don't do that. Typically if you want to run Samba, or an FTP server, or an HTTP server on the default port then you need to be root to do that. Once you are root then you can also poke a hole in the firewall.
Granted you can run servers on high-numbered ports, but within a LAN all that does is allow two machines that had already been compromised to communicate with each other. For communication with the outside world I prefer to detect and/or block that at the boundary router (otherwise all it takes is a local root exploit to disable the firewall).
The same applies to outbound connections, although in a world where so many programs need network access that is arguably a lost cause for general-purpose workstations. In any event, a firewall isn't the right tool for controlling the capabilities of individual programs: you really need something like SELinux or AppArmor to do that effectively.
When was the last time you were party to a serious information security audit? I get the feeling you don't protect data of substantial value for a living.
In any event, this only protects against internal incompetence rather than external malice, so is not a necessary part of running a secure system.
You forgot to mention internal malice.
Write failed: Broken pipe
That's fine as long as you are sure there are no bugs in the services you run and the TCP/IP stack, and you keep them all up to date, and you don't mind kiddies hammering on your door 24/7 trying to guess your passwords.
If you need a service to be publicly accessible then you will need to configure the firewall accordingly, in which case it typically provides no protection if the service is exploitable.
If the service doesn't need to be publicly accessible then either turn it off or bind it to the loopback interface. Why add extra software to protect against a vulnerability that you could have avoided creating in the first place? Note that operating systems that take security seriously do not install public-facing network services unless you ask them to.
Firewalls certainly have their uses, but they aren't a necessity on non-Windows machines in the way that they are for Windows.
Comment removed based on user account deletion
I use DroidWall (iptables frontend) on my Android phone (=non-Windows) to keep apps from sending my private data out. As an added bonus, it blocks most ads.
Yes, you can choose to not install those apps, but most of them want a network connection and access to storage...
Firewalls are absolutely essential, but you're thinking about them the wrong way out of FUD.
You know that certain blocks of IPv4 addresses are infamous for malware, but do you know their IPv6 counterparts? What if your neighbor's computer is infected with the latest and greatest zombienet? Heuristic blocking is far superior in that regard.
Install fail2ban and you will have inbound heuristic blocking. It looks at your system log files and applies clear rules for temporarily banning misbehaving IPv4 and v6 addresses. You will see lots of script-kiddie-style attacks and not much else. Because in the real world, most inbound malware are automated probes by people looking for known points of entry. Block them and you block almost all inbound malware. Further, it uses IPTables to execute the blocks, so it is transparent AND doesn't add another layer of cruft.
Your best protection from outbound malware is still good computer hygiene. Failing that, you can use the GUI's, but there is a reason they are not that common. It's because there isn't a culture of making malware for Linux (outside of server deployments). A note of caution - feel free to block ICMP, TCP and UDP traffic, but do NOT block Sockets traffic, or you will cry as your logging shuts down and the GUI fails in weird ways. Linux counts them all as equal network traffic.
I know you're new to the linux world, but while you're at it, dive into the BSD realm while you're at it.
You can do Firewalling with packet filter instead of iptables (better session tracking). BSD is generally better as a network appliance than linux for a number of reasons, and for firewalling especially. Better session tracking, better dynamic protocol handling, better error and flow control, and generally more robust. Iptables is powerful, but it has its downsides that can be felt these days with higher network speeds, IPv6, and dynamic network protocols which is why the linux kernel is moving away from it to NFTables. But NFTables is not yet complete, hence we circle back to BSD with its pf package.
pfSense offers exactly what you're looking for and probably more. It provides a gui and cli to manage the device and a robust user/support community. Beyond firewalling you can do proxy, captive portal, VPN, DNS, DHCP, NAT, IPS/IDS, and a whole lot more. It has a webGUI and sets up in all of about 10 minutes.
It packs all of the features you would see on "enterprise class" firewalls, just open source.
https://www.pfsense.org/
In any event, this only protects against internal incompetence rather than external malice, so is not a necessary part of running a secure system.
You forgot to mention internal malice.
Let's put my comment back into context. I was talking about forgetting to bind a private network service to the loopback interface. That would normally be done by an administrator. If an administrator is acting maliciously then you have fairly serious problems with or without a local firewall. In fact, this is a pretty good demonstration of my point that if you are going to use a firewall to protect against that kind of threat then the firewall wants to be on a different box (eg. a router or dedicated firewall), not the one that you are expecting to be compromised.
To be clear: I'm not saying that firewalls should never be used on Linux-based hosts (that would be ridiculous), only that they are not a necessary part of running Linux securely in the way that they are for Windows.
'User-friendly' and 'brand-new Linux user' in the same sentence.... ha, ha, ha! That was funny!
It totally was. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
AFAIK there's already some capability enforcement prohibiting some programs from accessing the Internet in modern Linux distributions, but, I don't really know how it's configured either.
Can't add much, but the systems are called AppArmor and SELinux. Just wanted to note that this may indeed be a great opportunity for the security focused. You have to choose a distro that supports the system you like best. There are GUIs for configuring them, but they aren't very mature I think.
Using different users is a nice solution, which I use to run the browser. You can also start the applications using kdesu or gnome-sudo; then you don't need to add a pam configuration. Just a heads up to the parent, I can't find a damn way to get sound from the applications after adding pulseaudio. (Every time I need to watch a video with sound I have to copy the URL into a browser running as my own user. I've got the browser user to use a dummy sink, so it just doesn't play sound, doesn't crash or anything, and it's not actually that bad.. ) I would possibly use SELinux if it would work with my ZFS
But as I recall it was pretty awesome. I replaced it with some basic home router at one point, then after getting fed up with the lack of SNMP support put in Zentyal. Pretty happy with that as I was able to get netatalk running on it for Time Finder backups on Mac.
Indeed, as unsatisfying as it is, the answer is that the question is wrong.
A windows software firewall is not the same thing as a standard firewall, it's a rather specialized bit of software that, unlike normal firewalls, does NOT just look at the packets and judge them for themselves. Instead, it keeps track of which *programs* on the machine are allowed to connect and how. On Windows, it's needed, and can be very useful i.e. even if the trojan gets installed using a drive-by exploit, it still cant call home (and when it tries, you get a clue that it is present.)
On *nix systems, I am not saying something similar could not be made, and found useful. But the need is certainly much less. You do not really need a software firewall on a system where programs cannot run without user intervention.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
You stupid fucking tool, just use iptables or ipchains....
Stupid n00bz don't need a firewall, they need a firesuit. Get use to the flames you dumb motherfucker.
Download webmin here: http://www.webmin.com/ not sure what flavor of Linux you're using but between the deb and rpm packages most are covered. For Shorewall use the package manager front end and do a search for it. Select shorewall itself and let your package manager solve the dependency issues. Once Shorewall is installed double click the webmin package and hopefully you'll get a nice GUI popup that will allow you to install it. It should also download all the packages you need for dependencies. If not either install the appropriate gui frontend or use the command line (commands vary based on the core package system, use man pages and google to find out how to use your CLI commands.)
Once Webmin is installed use your browser and go to https://localhost:10000
One thing, if your using any version of Linux Mint Webmin will not work.
.... to already be aware the 2nd day of usage that there is such a thing as 'APT', even more that there is a thing called YUM (which is what Red Hat uses, not Ubuntu) and then the mention of IPTABLES of course...
In any case, good to think about security. I can't recall the last time I installed a firewall or a virus scanner. To me, mew worms and virusses are ipso facto not detectable until there is a patch...
to deduce why you need a firewall. are you paranoid?
Web applications that use the old pre-DHTML model of clicking to update the whole page and entering things through discrete HTML forms, such as pre-D2 Slashdot, work fine without JavaScript. And the minority who use NoScript expect, say, online stores to do the same, treating JavaScript only as a "progressive enhancement" as opposed to a requirement.
Security by blocking bad things is a very bad idea, a completely false sense of security.
Couple these together instead:
default-deny (got that much correct);
incoming, open stateful continuations of established connections;
incoming, open ports for services you run (e.g. web- and dns-servers, etc), with rate-limiting per source.
iptables will allow this, no problem.
There is no point in "automatic" firewalls that detect bad things and block sources; all they do is clutter-up your firewall rules for the sake of an event that (1) comes under default-deny and (2) is already history - people doing bad things are mostly operating fire-and-forget.
~Tim
--
Rushing on down to the circle of the turn
You say you're a new Linux user, and it looks like you're carrying over you windows-way-of-thinking.
Most Linux distros don't have services running with lots of security holes. You don't generally need this.
Most malware out there is actually stuff like "click here for free money.exe". Even if you come across Ubuntu-targeted stuff, it does look like you're the kind of person who wouldn't click that.
Several people here have pointed out possible solutions, but think for a moment if you really need them.
I know this is an old thread ... but I really don't like Pulseaudio.
I never installed it on my Gentoo system. On my Mint systems, removing Pulseaudio is one of my first post-installation steps.
If I want to play sound over a network I export a read-only filesystem containing my media to the machines on my LAN (Samba does this nicely). Then I can play video and anything else over the network too, in a transparent way. I've never seen a single benefit of running Pulseaudio but I have seen lots of difficult-to-resolve problems. It's just useless bloat to me. I have a much better time using straight ALSA.
It is a miracle that curiosity survives formal education. - Einstein