Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 57

Thread: Why all Linux firewalls are snake oil (for desktop)

  1. #11
    Join Date
    Nov 2006
    Location
    Chicago, IL
    Beans
    72
    Distro
    Kubuntu 6.10 Edgy

    Re: Why all Linux firewalls are snake oil (for desktop)

    if you use firestarter, you can set rules for incoming and outgoing traffic.
    Registered Linux User #: 436821
    LINUX!
    Because a PC is a terrible thing to waste

  2. #12
    Join Date
    Aug 2006
    Beans
    227
    Distro
    Ubuntu 6.06 Dapper

    Re: Why all Linux firewalls are snake oil (for desktop)

    Quote Originally Posted by zetetic View Post
    [...]
    First, you're using the "snake oil" term incorrectly. Even if iptables didn't have application based control, it is still very good at everything else it does and is therefore not "snake oil".

    Second, iptables DOES have application based filtering if you have the owner match extension, and even better, it can match UID, GID, PID and SID. You could deny everything from getting out except what you want to use.
    http://pi.ytmnd.com/ <-women singing pi is just hot for some reason...
    http://dsj.freeshell.org <- home on the web..

  3. #13
    Join Date
    Oct 2005
    Location
    United Kingdom
    Beans
    4,848

    Re: Why all Linux firewalls are snake oil (for desktop)

    Install firestarter, set it up to block everything but your whitelist and add things where necessary...

    If you really want to.

    I repeat my point. If you don't trust software like nvidia binary drivers and think they'll "call home" THEN DON'T INSTALL THEM.
    Every time you install Jaunty, a kitten........ wait sorry what year is this again?
    Please don't PM support questions, post a thread so that everyone can benefit
    Join us in #ubuntuforums on irc.freenode.net

  4. #14
    Join Date
    Oct 2006
    Location
    /home
    Beans
    189

    Re: Why all Linux firewalls are snake oil (for desktop)

    RMorris78's said:

    «if you use firestarter, you can set rules for incoming and outgoing traffic.»

    Did you read my posts? I'm talking about application outbound filtering/control, not about protocol/ports outbound control. Firestarter only has rules for protocols/ports, not for applications. There are a bunch of security articles written by security experts on the web, so please read them.

    Protocol/ports control is snake oil... every malware application can use any port... It's crazy to open a port for every application that decides to use it.

    zetetic

    zetetic

  5. #15
    Join Date
    Jun 2006
    Beans
    2,310
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Why all Linux firewalls are snake oil (for desktop)

    Quote Originally Posted by zetetic View Post
    RMorris78's said:

    «if you use firestarter, you can set rules for incoming and outgoing traffic.»

    Did you read my posts? I'm talking about application outbound filtering/control, not about protocol/ports outbound control. Firestarter only has rules for protocols/ports, not for applications. There are a bunch of security articles written by security experts on the web, so please read them.

    Protocol/ports control is snake oil... every malware application can use any port... It's crazy to open a port for every application that decides to use it.

    zetetic

    zetetic
    I hear your concerns, but others have already posted links that should help you out. See xhaan's post; see ice60's post.

    If you really want true (read: better) security, buy a consumer hardware firewall (incidentally, many of them use a modified Linux kernel) or better yet, a really expensive one from Cisco .

    There's really nothing snake oily about Linux firewalls -- it's how you use and implement them that make them effective. Also of note, is that they've been a part of Linux for a while in many forms: ipfwadm, ipchains, iptables. Notice also that Firestarter and TuxGuardian are merely GUI front-ends to said applications.
    Last edited by ciscosurfer; December 4th, 2006 at 09:24 PM.

  6. #16
    Join Date
    Apr 2006
    Beans
    1,979
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: Why all Linux firewalls are snake oil (for desktop)

    Quote Originally Posted by zetetic View Post
    PriceChild said:

    «If you don't trust said application, don't open it.»

    This is the worst way of dealing with security one can imagine.
    Actually, that's probably the best way of handling security, aside from mandatory virus checks and whatnot. The only way you're going to get malware arsing around on your computer is through something far more pervading than a process starting itself up. It's going to need to hook into a different application in order for it to do what it wants to do, and if it succeeded in doing that, then your firewall would be useless anyway. You're safe, chill out.

  7. #17
    Join Date
    Oct 2006
    Location
    /home
    Beans
    189

    Re: Why all Linux firewalls are snake oil (for desktop)

    xhaan wrote:

    «Second, iptables DOES have application based filtering if you have the owner match extension».

    Could you please ellaborate on that, or give further information?

    Or are you talking abot manually creating/editing iptables? The vast majority off Ubuntu users (or of almost anyother Linux distro) don't have the knowledge (nor the time or patience) required to manually edit/create iptable rules.

    So we really need a front-end application capable of protecting against internal extrusion, with application oubound filtering/rules.

    zetetic

  8. #18
    Join Date
    Jun 2006
    Beans
    2,310
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Why all Linux firewalls are snake oil (for desktop)

    @zetetic,

    Out of curiosity, can you describe when the events you speak of have personally effected your computer and what happened when they did?

    I was going to say: If you're that paranoid, maybe you shouldn't use your computer at all...go watch a movie or something. Ooops. I said it. Don't take offense now, I'm only playing around .

  9. #19
    Join Date
    Oct 2006
    Location
    /home
    Beans
    189

    Re: Why all Linux firewalls are snake oil (for desktop)

    PriceChild wrote:

    «If you don't trust software like nvidia binary drivers and think they'll "call home" THEN DON'T INSTALL THEM.»

    Well, Ubuntu Feisty will install binary video drivers by default...
    So I will not be allowed to not install them!...

    So Ubuntu Feisty has the potential to be a security/privacy nightmare (at least for the vast majority of its users, cause almost everybody uses ATI or Nvidia graphics cards)...

    zetetic

  10. #20
    Join Date
    Apr 2006
    Beans
    1,979
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: Why all Linux firewalls are snake oil (for desktop)

    Quote Originally Posted by zetetic View Post
    PriceChild wrote:

    «If you don't trust software like nvidia binary drivers and think they'll "call home" THEN DON'T INSTALL THEM.»

    Well, Ubuntu Feisty will install binary video drivers by default...
    So I will not be allowed to not install them!...

    So Ubuntu Feisty has the potential to be a security/privacy nightmare (at least for the vast majority of its users, cause almost everybody uses ATI or Nvidia graphics cards)...

    zetetic
    Nobody is forcing you to use Feisty. If you don't agree with the direction Feisty is taking, then by all means stick with Dapper or Edgy or whatever you're running now.

Page 2 of 6 FirstFirst 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •