setting up a linux firewall

[ahhaa]

I got to the stage of setting up the wireless connection and the firewall config panel gave me these choices:

click boxes to allow

everything

web server

domain name server

SSH server

FTP server

Mail server

POP & IMAP server

Echo Request (ping)

other than that I can add individual ports under 'advanced'

there's no apparent 'ask' option...

any advice appreciated!

[disturbed1]

click boxes to allow

everything = it's all blocked. You're locked down. Grab a tin foil hat while your at..... no wait, just unplug the cable.

web server = port 80, allows someone to connect to you on this port.

domain name server = uncheck this if you are running your OWN DNS

SSH server = SSH can come in handy. Port 22. Allows you to connect to your machine through a Secure Shell.

FTP server = port 21, allows others to ftp into.

Mail server = umm - a mail server usually uses POP3 or IMAP. Anyways, POP3 = 110, SMTP = 25, SSL/IMAP/TLS have different port numbers. Are you running your own mail server?

POP & IMAP server = See above.

You left off NFS, NNTP, NTP, just to name 3 of the common services. Usually one would state which distro their using, and the name of the program they need help with. I can gather you aren't editing the iptables config file .

Echo Request (ping) = turns off ICMP. If someone pings your PC, it won't respond.

other than that I can add individual ports under 'advanced' = do know what ports you're using?

Unless you're running a real server, and I don't mean some headless box in your basement serving mp3s, leave SSH unblocked, and close everything else. Later on you can unblock ports if you need them.

If you're not sure about networking and ports, google the service and/or port number.

[AlanHK]

I got to the stage of setting up the wireless connection and the firewall config panel gave me these choices:

You'll notice these are all "servers"
Unless you are actually running a server for one of these services, you don't need to open any of them.

If you do P2P, you will need to open a port or two, but that will be explained in the FAQs for your P2P client (as it is also a server).

See http://www.portforward.com/ for more info.

[Midzuki]

disturbed1 wrote:

Unless you're running a real server,
and I don't mean some headless box in your basement serving mp3s,

OUCH! That hurts!

[ahhaa]

You left off NFS, NNTP, NTP, just to name 3 of the common services. Usually one would state which distro their using,

Thanks, Dis; but as I said, the firewall config panel gave me these choices, and only these choices.
It is built in to the distro, which is the current Mandriva Spring 2008 Live.

Mebbe I am ignorant or an idiot, but I frankly don't see how these choices,
which are network and not distro dependent,
and face every first time user just prior to going online for the first time, are really anything
but poor interface design.

I do appreciate your info, tho

[JohnStanly]

Firewall in linux buah!!

see www.dcd.com.pl

[jman98]

How odd that "Click box to allow" being checked for Everything means that instead everything is blocked. Hmm... I think disturbed1 is wrong here.

ahhaa - Linux operates under the principle (in most distros anyway) that you as a user are smart enough to figure out what you want rather than some faceless droid deciding that for you. It would seem that you disagree with this philosophy, so I may politely suggest that Ubuntu might be a perfect distribution for you as it's very easy to install and doesn't offer users a lot of opportunity to decide things like this. Ubuntu was designed for people with low technical skills to be able to install it and run it successfully.

Most home users won't run NFS, NNTP or NTP, so it's not a mistake that this distribution didn't ask about them. The fact that some people may want to run them does NOT mean that MOST users will do so. If someone knows what they are and wants to run them, I think it's a safe assumption that this person would know enough about Linux to make them work without having to depend on a GUI checkbox to do it.

[ahhaa]

y'know, that's not the case. What I object to, is being stuck in the middle of an installation sequence having to make choices without the appropriate information onscreen. Its not about knowhow, its about poor design and attention to detail.

Also, it seems that a firewall is quite necessary for linux these days- even for the oh-sophisticated Debian & Redhat users:

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed,

more at
http://blogs.zdnet.com/security/?p=1803

[disturbed1]

Most home users won't run NFS, NNTP or NTP, so it's not a mistake that this distribution didn't ask about them. The fact that some people may want to run them does NOT mean that MOST users will do so. If someone knows what they are and wants to run them, I think it's a safe assumption that this person would know enough about Linux to make them work without having to depend on a GUI checkbox to do it.

OK

But they will run an SSH, POP and IMAP server. I guess you don't know what NFS or NTP is used for. Come on man, if they offer SSH, POP3 and IMAP servers, why wouldn't they offer the standard for file sharing and synchronizing your clock. And is running a news server such a far stretch from offering to set up a mail server?

Let me guess, you use Ubuntu Or either that, you don't have a clue, and just thought you'd offer some more useless information.

Have to agree ahhaa, it is poor design.

[courtrrb]

That the distro and version I use for my server. The default for the firewall is for most users.
It also give you the choice of which nic you want to protect. I only protect the external one. The only thing I turn on for mine is ssh & ftp. All the rest I leave off. I have had no problem and no break-in even with many attacks. I find this interface to be easier then the dozen or so firewall configurations program I've tried. These is the same setting I use for my laptop. I have never had any problem connectiing to any wireless network.