Now we have AppArmor,

we still need easy firewall and easy antivirus

Ok, Firestarter seems really easy, but it's not default in ubuntu. Make it default.

ClamAV is easy, too... But it doesn't find all viruses...

"Antivir" - p i t a ...

my suggestion
firestarter default
clamav default (otherwise "antivir" .deb in repos please)

i don't want all that rubbish in the default.

iptables is the firewall by the way and it is in the standard ubuntu already.

and isn't clamav in the repos? 99% of users won't need it by default.

i don't want all that rubbish in the default.

iptables is the firewall by the way and it is in the standard ubuntu already.

and isn't clamav in the repos? 99% of users won't need it by default.

I'll second that. All that stuff you can install if you need an E-mail server or using a Linux machine to protect windows machine in a network or similar...

ClamAV is easy, too... But it doesn't find all viruses...


There isn't a single anti-virus package in existence that can catch 100% of all viruses. Some are just better than others. And ClamAV is one of the best. In a recent test, ClamAV was one of only 3 antivirus apps that caught every virus in the test set. I've always found it to be very dependable.

iptables is the firewall by the way and it is in the standard ubuntu already.

iptables is installed but offers no protection by default. It has to be configured.

iptables is installed but offers no protection by default. It has to be configured.

All ports are closed in Ubuntu by default.

There is no need for a home user to have an anti-virus and advanced firewall installed by default, besides almost all software can be installed from the official repositories. Security is more than good as it is.

I think there is a big distinction between "default" and "easy". You certainly don't need a firewall nor an antivirus application on a default Ubuntu desktop so there should not be one by default.

But for those who think they do need one and want an easy solution, it should be easy. Isn't installing firestarter and Clamav easy enough?

installing clamav is easy enough, but updating it is an issue. I recently installed it and got error messages because it wasn't up to date when I went to update my virus definitions. For the normal user that wants to run antivirus (for whatever reason) compiling from source probably wouldn't be the easiest thing for them and finding a repo with it wouldn't be the easiest thing for them either. Just my 2 cents.

See linux runs smothly on low end system adding all those crap will lower the performance so better install by yourself :)

I agree with the sentiments expressed above.

For a standard desktop install, you don't need to touch iptables and don't need anti-virus software.

One of the complaints you regularly hear about Windows is all of the bloatware that is installed by default. I hope that Linux doesn't follow this path.

If you do need these packages they are easily installed and set-up.

Regards,
Roger :cool:

Just for clarity, Ubuntu does ship with all ports closed by default, but this is not due to iptables. iptables is installed by default but not configured and thus ports are not protected by iptables unless configured manually or via a program like Firestarter. I keep reading post after post saying iptables protects users by default right out of the box. This is not the case.

Just for clarity, Ubuntu does ship with all ports closed by default, but this is not due to iptables. iptables is installed by default but not configured and thus ports are not protected by iptables unless configured manually or via a program like Firestarter. I keep reading post after post saying iptables protects users by default right out of the box. This is not the case.

I have no firewall on my system, and have not configured iptables manually. All my ports are closed. How else would all ports be closed if iptables wasn't being used? Who's to say this wasn't configured in iptables by ubuntu already when they packaged it?

From http://www.netfilter.org/:
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

There is most likely a default table created by Ubuntu to lock all ports.

I have no firewall on my system, and have not configured iptables manually. All my ports are closed. How else would all ports be closed if iptables wasn't being used? Who's to say this wasn't configured in iptables by ubuntu already when they packaged it?

From http://www.netfilter.org/:


There is most likely a default table created by Ubuntu to lock all ports.

No there isn't. It's just that Ubuntu doesn't have any open (listening) ports by default. So it's logical they're all closed. If you install ssh you will open port 22 for example.

Ubuntu's firewall (iptables) is not turned on by default. To test it, run the following:

sudo iptables -L -n

If you see the following, the firewall is doing nothing. Note the default policy is to ACCEPT communications from the outside:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

However, Ubuntu's ports are closed by default. But if a program stealthily opens a port, you will have an open port.

Imagine calling the police after somebody breaks in to your home and you tell the police you never lock you doors. A locked door isn't foolproof, but at least you took steps to protect yourself. And I suspect that from the viewpoint of the law, circumventing your locked door (breaking in) is more serious than just walking in an unlocked door. Same thing with a filing cabinet. If somebody breaks a lock on a filing cabinet, it's more serious than just opening it.

I choose to use Firestarter just as I choose to lock my doors at night. The added protection is worth it. I keep reading that it causes a slowdown. I haven't noticed any slowdown.

I choose to use Firestarter just as I choose to lock my doors at night. The added protection is worth it. I keep reading that it causes a slowdown. I haven't noticed any slowdown.

There is no added protection. A closed port is a closed port, doesn't matter if it is really closed or if access to it is blocked with a firewall - either way, nobody can connect to it, and linux applications are not brain dead by default like windows and don't just let anyone connect and access your stuff without any kind of authentication and validation, and usually encryption.

There are two reasons that windows needs a firewall:

1) By default it runs services that remote users can use to access your machine in limited ways without any authentication at all

2) These default listening services are riddled with exploits that can be used to subvert them and cause them to perform acts on behalf of the attacker with full system access.

Ubuntu does not suffer from either of these.

When you install internet services for the purpose of a local net, you need a firewall to disallow the internet while allowing the intranet.

When you install internet services for the purpose of a local net, you need a firewall to disallow the internet while allowing the intranet.

If you can install internet services, then you can also install firestarter.
It is not needed on a default desktop!

And your router will keep outsiders out of your lan if you have one with multiple computers that you want to share access to.

And your router will keep outsiders out of your lan if you have one with multiple computers that you want to share access to.

How trustworthy is the router?

Most routers run Linux.

Do a Google search on compromised routers. Linux isn't invulnerable.

Practically speaking, yea, it is.

Ubuntu advertises ease of use. Iptables is NOT easy to use. Yes out of box Ubuntu has no open ports, but iptables is not configured andthere are those us who would like a firewall for our systems, both servers and clients. Yes, firestarter is easy to use, however, I have had nothing but problems with it since Ubuntu 7.04. Firestarter does not work well with Network Manager, especially if you run wifi or for some reason your LAN/Internet connection does not start up BEFORE firestarter tries to run it's script at boot. If your network connection is not established before firestarter runs it's firewall script on boot, then firestarter will no start the firewall, the script tells it not to!!!. IT IS NOT TRUE THAT FIRESTARTER SIMPLY CONFIGURES IPTABLES. Firestarter has to be run on boot or when the user logs in to set up iptables. All settings are lost on shutdown. Firestarter is not reliable, and if you check the latest news and such on the firestarter website, nothing has been updated since 2005. Is firestarter even being developed anymore?? If you are running firestarter, I strongly suggest checking iptables after a fresh boot (sudo iptables -L -n) and see if things are being loaded as you so confidently believe they are.

People, enough Ubuntu users are asking and pleading for a firewall configuration tool. Why is this so opposed by the Ubuntu community?? Why can't Ubuntu start including an easy configuration tool like Fedoras system-config-firewall?? A search of the forums is proof enough that WE AS THE UBUNTU COMMUNITY ARE ASKING FOR IT AND WOULD GREATLY APPRECIATE IT.

Just my two cents. I realize I may not know much.

For the same reason that the defrag package is not installed by default, or has even been maintained in years: it has no actual use. The solution is not to provide a tool that people want, but to educate people to know that they have no use for such a tool.

On the otherhand, firestarter should be fixed so it does work properly. The iptables rules should be configured whenever the interface is detected, not just during boot up.

So we're saying that a firewall is not needed? Even for those who want to set up Ubuntu as a server? Or even for the security minded businesses thinking about using Ubuntu in their environment?

Anyways, it would be nice if Firestarter worked just by detecting the interface, but unfortunately it doesn't.

Even for those who want to set up Ubuntu as a server? Or even for the security minded businesses thinking about using Ubuntu in their environment?

No, for the typical home user. People who have more sophisticated demands usually also have more sophisticated skills and don't need a default app to cater for those.

By the way, there's an approved firewall blueprint:

https://blueprints.launchpad.net/ubuntu/+spec/firewall

If a firewall is to be introduced into Ubuntu, this is almost certainly the way it's going to happen.

Yes, a firewall is not needed. Why? Because we don't have a bunch of listening services installed by default, and any services you choose to install aren't riddled with security exploits. Even if you choose to install apache or sshd, they are configured out of the box in a secure manner so people trying to connect and use the services can not do anything harmful, unless of course, they know a valid username and password on your machine.