Ip tables and NAT

Alan McKinnon alan at linuxholdings.co.za
Tue Feb 28 11:46:36 UTC 2006 

On Saturday, 25 February 2006 21:32, Derek Broughton wrote:
> Alan McKinnon wrote:
> > I've seen many valid iptables setups running on gateways and
> > routers. I've never yet seen such a thing on a workstation,
> > regardless of what the user believes. Every case has been much
> > work for no additional *real* benefit. Which raises the question:
> > why do it at all then?
>
> imo, you answered that question in another thread.  You said that:
> > The far better solution is a tool
> > that displays running programs and which ports they have opened.
>
> Since I haven't found such a thing, I count on iptables to prevent
> running software from opening ports I don't know about.  If you
> know of anything that does what you want, tell us.  It's not good
> enough just to run netstat - it needs to be able to tell me when
> something starts to use a port & learn and remember what ports
> should be open _in both directions_.  Like certain Windows
> products...
>
> Also, this discussion has focused on whether you need a firewall to
> stop people outside your machine accessing open ports - that's only
> half of a firewall's job.  It needs to prevent outgoing access. 
> afaict, the only way I could prevent that would be with iptables.

I had already penned a reply and discussed at length why the 
"firewalls" most user end up having are effectively not very useful, 
with all the reasons why: the sheer amount of knowledge required, and 
the difficulty of designing an interface that got the job done right 
without confusing the user and without giving a false sense of 
security. It has been my experience that iptables rule sets are 
either done right by a small minority of knowledgeable people, or are 
so poorly done by the rest as to be worthless.

The I decided to do something really strange, and for the first time 
in a while read the man page from beginning to end. Seems like my 
knowledge was a tad out of date... I'm starting to think that 
adaptive intelligent personal firewalls can now be a reality. This 
will be a good thing indeed, and a huge improvement over what has 
historically been the case

-- 
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five

More information about the ubuntu-users mailing list