I still think a firewall should be setup by default.
Any user (novice or expert) could easily install something
that opens up a port/ports, without knowing or even be notified
that a Firewall is not in place.
Atleast ask during the install...
Do you want the firewall turned on ??
Last edited by tebbens; June 1st, 2008 at 04:14 PM.
firewall is always turned on... except if you remove iptables from the kernel (is that possible?)
Just to clarify some misconceptions that the default stance of the iptables is not DROP!
Nope, it's not. We have had this discussion before I think. Please type this into a terminal:... You will most likely get this as result:Code:sudo iptables -LVoila, no active firewall whatsoever.Code:Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Or please try this command:... You will get a result which looks something like this:Code:sudo lsmod | grep ip.... No sign whatsoever of a firewall.Code:ipv6 273892 26 snd_cmipci 37024 1 snd_opl3_lib 11520 1 snd_cmipci snd_mpu401_uart 9600 2 snd_cmipci,snd_mpu401 snd_pcm 80388 4 saa7134_alsa,snd_cmipci,snd_usb_audio,snd_pcm_oss snd 54660 17 saa7134_alsa,snd_cmipci,snd_opl3_lib,snd_mpu401,snd_mpu401_uart,snd_usb_audio,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_seq_oss,snd_rawmidi,snd_hwdep,snd_seq,snd_timer,snd_seq_device gameport 16776 2 snd_cmipci,analog
On the system I just used the "iptables" command I have two entries which hint at the possibility of activating the firewall:... But again, the absence of all other modules tells me that there is no firewall active here!Code:iptable_filter 3968 0 ip_tables 13924 1 iptable_filter x_tables 16260 1 ip_tables
Now for comparison the output from a system which does have an active firewall:
See all those modules, e.g. for NAT, for IP connection tracking, and so on? Yes, this is an active firewall here.Code:~ > sudo lsmod | grep ip iptable_nat 16900 0 nf_nat 30636 1 iptable_nat nf_conntrack_ipv4 29456 2 iptable_nat nf_conntrack 83548 3 iptable_nat,nf_nat,nf_conntrack_ipv4 nfnetlink 15432 3 nf_nat,nf_conntrack_ipv4,nf_conntrack ip_tables 31080 1 iptable_nat x_tables 30600 2 iptable_nat,ip_tables ipv6 360168 34 chipreg 11904 2 jedec_probe,cfi_probe
But this is not what you get "out of the box" and hence your statement is again not correct.
Yes, the basis for activating a firewall (the "infrastructure" if you want to call it so) is there. But it's not activated at all, it does nothing at all and the above shell commandos should be proof enough to show this.
Of course you can remove it. Just untick the firewall features when you configure your kernel and that's it. Not hard at all to do. And even if you leave it in: See above. The groundwork for a firewall is there, yes. But "out of the box" it is neither active nor will it do *anything* at all to protect you from unwanted network traffic.
The question in the previous posting is thus valid: A user should be asked if they want to activate the firewall and have all incoming network traffic filtered by default. Because right now it's not doing anything like that.
I don't agree with that statement. Iptables is used to administer the kernel level packet filtering (netfilter). Iptables and netfilter are obviously active, yet set to a default policy of accepting all traffic. A firewall is not a firewall just by virtue of being set to block traffic. If anything I would call it an "unconfigured" firewall, since firewalls start with either a policy of default allow or default deny. Any additional configuration is up to the person who maintains the firewall.
Change the command to
..and you will see that the kernel packet filter is still inspecting the network traffic, since it will give you the number of packets for each default chain. Just because it has not been configured to do more than its default policy does not make it not a firewall.Code:sudo iptables -L -v
Last edited by Monicker; June 1st, 2008 at 06:43 PM. Reason: typo
Im not sure what the right answer is frankly, however aren't you two splitting hairs?
Whether the iptables is inactive by default, or active but not set to block anything -- in the end -- the result is the same. In order to take advantage of the built-in firewall, the ruleset must be fed into iptables at every boot (whether through importing a ruleset, or by adding additional rules either manually or through a frontend). Only then is the firewall truly active.
OK, let me fine-tune my statement: "active firewall" in the sense that it would filter network traffic and not "active" in the sense of "being present". That's how I used it I think ("active" == "filtering traffic") and in this sense my statements should be correct.
I agree to that. You see, there already was a lengthy thread where hyper_ch and me disagreed what the difference between "unconfigured" and "default configuration" is when it comes to "iptables". I guess I am on the same page as you: "iptables" is 'out of the box' unconfigured, yes. Here is the thread I am referring to:
http://ubuntuforums.org/showthread.php?t=640752
Yes, absolutely.
Technically you are right, yes. But please see above, when I wrote "active firewall" I meant it in the sense "this firewall is filtering stuff" and not "firewall technology is always present" -- yes, it's present, but from a packet filtering point of view not "active" in the sense that it would keep any traffic away. If anything it's completely "passive" in its default setting.
And this is also what is often misunderstood by newcomers: They're told "Ubuntu is safe out of the box". Yes, this is more or less true if we compare this with e.g. Windows out of the box. And then they are told "You don't need to download a firewall, Linux already has a built-in firewall". This is also true. But here's the catch: Many people connect the two and thus misunderstand the message as being "Ubuntu is safe out of the box because there is a built-in firewall" ... And this is obviously *WRONG*. Ubuntu's safety "out of the box" comes from the fact that per default there are no TCP or UDP ports listening for outside traffic, and not because the firewall would do any magical work in its default setting --- and semantics aside, I think we both agree that the default setting of "iptables" on Ubuntu is not filtering anything (regardless if I call that stuff "active firewall" vs. "passive firewall") and letting all traffic through.
So to get back to the topic I'd say tebben's posting a little bit further up is not such a bad idea: The users should be asked if they want the firewall "active" (= in the sense that it filters traffic) and the installer should then create a default rule set which would e.g. let all outgoing traffic out but block all unwanted incoming traffic.
Other distros such as OpenSUSE are already doing this for quite some time now. Per default the SUSE installer will activate the firewall and only offer to activate SSH. Here is a screenshot:
IMHO this is not such a bad idea at all. Users who know what they are doing can still click on that button to disable the firewall but for the average home user who doesn't want to risk anything such an option would definitely be nice, IMHO.
Last edited by scorp123; June 1st, 2008 at 07:30 PM.
Bookmarks