On Tuesday 22 June 2010 10:46 in comp.os.linux.networking, somebody
identifying as Tim Frink wrote...
> Hi,
>
> I've a new Linux box (running Debian Lenny) which is connected via a
> WLAN card to a DSL router. The firewall of the DSL router is disabled.
> Now I would like to install a firewall on my Linux system. Which
> connections do I need to block in general?
Only those which are in use by a service offered by your machine, and
only insofar that the firewalling rejects unsolicited connections on
said ports.
For instance, you might have "sshd" running to allow remote logins, but
you are seeing a lot of of break-in attempts on that. So then you
could set up a firewalling rule that only allows access to port 22 from
a limited and trusted range of IP addresses. (Note: In the case
of "sshd", this need not necessarily be done -via firewalling rules, as
the "sshd" configuration file already allows for finegraining access to
that service, and as has been pointed out elsewhere already, it is
always a good idea to use a non-standard port for "sshd".)
Most people who have a residential internet connection and who are
inquiring about firewalling are people who come from the Windows world,
where firewalling is an absolute necessity, because Windows is by
nature very promiscuous. UNIX does not work that way, and there is no
point in blocking a given port if that port has no daemon running on
it.
> Are there any graphical tools that help me to setup firewall rules? Or
> any out-of-the-box scripts that can be used after a slight
> modification?
For graphical tools, another poster has already recommended "webmin".
It's a web-based graphical interface for system administration - not
just firewalling. Most distributions ship with "webmin" packages.
Once it's installed and properly set up, you can connect to it on port
10000. It is advised to use it with https only, especially if you
intend administering the machine remotely from another location on the
internet.
As for scripts... There are some, but considering what I wrote higher
up about how UNIX only accepts connections on ports which have a
service/daemon running on them, such scripts would be highly
specialized. For instance, if you install your machine with the Xen
hypervisor, then the management virtual machine will - provided that it
has direct access to a NIC, which is not always the case in a Xen
set-up - implement a firewalling script which secures the management
virtual machine from the internet and sets up the NIC either as a
bridge or with routing, depending on the chosen networking set-up.
There are however no general purpose scripts for firewalling on a
GNU/Linux system, because every system has different needs. Alas, and
again as I wrote higher up, people coming from the Windows world have
been badly misindoctrinated into believing that a firewall is
absolutely required under all circumstances.
With Windows, that is the case, yes, even if it were only to prevent
Windows from phoning home, because although most people don't know
this - and I don't do Windows but I'm familiar with how it works -
Windows is actually spyware that contacts Microsoft at least once every
week to let them know that you're still using an official version. A
tactic which, given the sheer number of pirated copies, doesn't seem to
serve its purpose too well. ;-)
In real operating systems however, there is no need for a firewall
except for what firewalls were really designed for, i.e. to keep the
bad guys out and let the good guys in. ;-)
--
*Aragorn*
(registered GNU/Linux user #223157)
|
Similar Threads
Linear Mode
