securing Ubuntu and firewall

H.S. hs.samix at gmail.com
Sat Feb 25 19:04:36 UTC 2006 

Alan McKinnon wrote:

> First, we should get our terminology right. The Linux kernel doesn't 
> implement a firewall, it's a packet filter. So you can't do 
> intelligent firewalling related to the content of what's in a packet, 
> you can only ACCEPT or REJECT a packet based on the IP protocol, 
> port, source/destination address, related to an already accepted 
> connection, etc.

Just a minor addition (from my limited knowledge of internal working of
IP/TCP:
also the content of the TCP/IP flags. You can filter packets based
various flag configurations.



> Ubuntu doesn't install a packet filter for all these reasons, it just 
> doesn't enable any services by default. This is no more and no less 
> secure than a simple iptables rule set, and a lot easier to manage 
> with a GUI tool. The one place where it might seem iptables would be 
> good is to allow say sshd connections only from specified hosts or 
> networks. But on a workstation this is far easier to do with xinetd 
> and tcpwrappers

exactly why I use a firewall. Plus I can do lots of stuff on my
webserver (controlling the access in various forms). Can't do it without
iptables based firewall.

> 
> iptables has it's place, as a dedicated firewalling machine on a 
> gateway, protecting all machines on the LAN behind it. Then you get 
> extra nice features like NAT and mangling.

Exactly why I use an iptables script on my home LAN router. Also, I can
redirect ssh to various internal machines, not mention that I can limit
the rate of ssh attempts and get rid of those "failed attempts" in
/var/log/syslog that we see so often now.

> 
> Finally, to anyone that says they would like a GUI front-end to 
> iptables, I recommend you try and implement one. By the time you are 

No need, really. I had never tried any GUI firewall ever before in
Linux. But firestarter was a pleasant surprise. It is featureful enough
for a typical home user.


> finished you end up with a dialog that is so full of checkboxes and 
> options you might as well start vi and edit the script by hand. If 
> you are unlucky you will simply open ports at random to get stuff to 
> work (and effectively waste your time). If you are lucky, you will 
> realise what you are up against and reimplement it as a tcp wrappers 
> front-end which is quite easy to do (see above for why this is a good 
> idea).
> 

Thanks for clarifying a few things.
regards,
->HS

More information about the ubuntu-users mailing list