Do I need a Firewall for Ubuntu?

[SparTacux]

As for specifying IP addresses for the mail servers- I'm using Gmail via Thundrbird- I doubt I would be able to specify a single IP for that(?). I tried to look online for the IP of googlemail.com servers but couldn't find anything relevant.

Here's an interesting article about Gmail hack done in Iran. If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack and get your account and password details and go through your email to see what your political views are.

ARTICLE

Iran has tricked a web firm into issuing fake security certificates for Gmail, Skype, Hotmail and more.
Comodo Group, a US-based certificate authority firm with 15% of the market, admitted that one of its affiliate's accounts in Southern Europe had been hacked, letting the attackers create fake SSL security certificates for six websites.
Such digital keys let websites offer secure services, and fake versions could be used to spoof sites, gather login details and watch user activity.
The fake certificates target Microsoft's Live platform, Gmail and Google, Skype, Yahoo, and Mozilla Firefox extensions. The attack was quickly discovered, with the attacker still using the account when it was shut down.
Comodo's CEO Melih Abdulhayogl said the attack appeared to originate in Iran, as it would have required access to the country's DNS infrastructure. "We believe these are politically motivated, state-driven/funded attacks," he said in a blog post, adding it was the first such state attack he'd seen against the authentication layer of the web.
Phillip Hallam-Baker, principal scientist for Comodo, said the timing of the attack was no coincidence.
"It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of internet use by dissident groups," he said in a blog post.
"The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the internet and in particular social-networking sites as a major organising tool for the protests," he added.

[secret resistor]

If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack and get your account and password details and go through your email to see what your political views are.

I don't know the specifics of how that particular Iran attack was implemented but in the general case this is NOT true. Using DNS is just one possible way of doing this attack and there is nothing stopping the ISPs from implementing a transparent proxy in which case from your end it would look like you are connecting to the real IP address but it will actually go through the malicious server at the ISP which will do the MITM on the SSL connection. And given the potentially grave consequences in this particular scenario I would be very careful not to give people a false sense of security.

[SparTacux]

I don't know the specifics of how that particular Iran attack was implemented but in the general case this is NOT true. Using DNS is just one possible way of doing this attack and there is nothing stopping the ISPs from implementing a transparent proxy in which case from your end it would look like you are connecting to the real IP address but it will actually go through the malicious server at the ISP which will do the MITM on the SSL connection. And given the potentially grave consequences in this particular scenario I would be very careful not to give people a false sense of security.

Ok - Don't use the internet ( full stop ) if you want privacy.

The idea was to add more levels of protection - in this context what I said holds true.

[secret resistor]

Ok - Don't use the internet ( full stop ) if you want privacy.

The idea was to add more levels of protection - in this context what I said holds true.

I'm not saying that limiting the IPs does not help - security in layers is always good. I was objecting to this part of your post: "If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack". I interpreted this as meaning that if you restrict the IP addresses then the ISP cannot intercept your traffic which is false and in cases where people's lives are at stake is not a wise thing to be suggesting. If I misunderstood you then I apologize.

[Dangertux]

I don't know the specifics of how that particular Iran attack was implemented but in the general case this is NOT true. Using DNS is just one possible way of doing this attack and there is nothing stopping the ISPs from implementing a transparent proxy in which case from your end it would look like you are connecting to the real IP address but it will actually go through the malicious server at the ISP which will do the MITM on the SSL connection. And given the potentially grave consequences in this particular scenario I would be very careful not to give people a false sense of security.

This is true. In this case a firewall wouldn't do much to help you, especially since allowing only select ip's for your mail servers is difficult due to the fact that large providers are load balancing. So you would more realistically be filtering by hostname in which case a MITM would be successful.

In the particular attack the new CA's were pushed out almost immediately, this is why. Since the only real way to mitigate it was to insure the proper warnings were still thrown for non-matching certificates.

[SparTacux]

I'm not saying that limiting the IPs does not help - security in layers is always good. I was objecting to this part of your post: "If you are using a Firewall to restrict access to legit email servers then no-one is going to get you with such a hack". I interpreted this as meaning that if you restrict the IP addresses then the ISP cannot intercept your traffic which is false and in cases where people's lives are at stake is not a wise thing to be suggesting. If I misunderstood you then I apologize.

I think you are right to pull me up on that. It was probably a bad example to use and I understand the implications of giving a false sense of security on the internet. I stand corrected. But... From the write up it appears that the DNS infrastructure was hacked so that users were directed to a spoof site which gleaned their information. For my mail server I use direct IP addresses so I have no problems resolving mail server names. I did a ping on the mail server and used that IP address. I've Never had any problems with it.

[Soul-Sing]

Not able to insert a rule for msn messaging (pidgin)
and jabber.So that is blocked....
Great howto by the way!

edit: is it 5190 for AIM?

[OpSecShellshock]

Not able to insert a rule for msn messaging (pidgin)
and jabber.So that is blocked....
Great howto by the way!

edit: is it 5190 for AIM?

Looks like the server side port for Jabber is 5222, and for Windows Live Messenger is 1863?

[Soul-Sing]

Looks like the server side port for Jabber is 5222, and for Windows Live Messenger is 1863?

Thanks, but I don't get the new rules: 43, 5222, and 1863 in the existing "line" of rules, which is:
25,53,80,110,139,143,443,465,843,995,1023,7000,707 0/tcp
sudo ufw insert 58 allow out 43 (which is the whois server)
sudo ufw insert 58 allow out 5222
sudo ufw insert 58 allow out 1863
It creates new lines of rules. (Yes i got over 58 lines of rules)

source: http://blog.bodhizazen.net/linux/fir...untu-desktops/

Then block all other outbound traffic with:

Code:

sudo ufw deny out to any

Keep in mind, order of the rules is critical. So if you need to allow additional traffic, you will need to insert a rule.

List your rules by number with:

Code:

sudo ufw status numbered

[Ms. Daisy]

That was a great discussion, explained the basic concepts & made it far less mysterious. Thanks DT.