Firewall

Hi all. I've been reading away but I'm a still a little confused as to which firewall to use with the AAone. Is Firestarter a good choice for a rookie like me. If yea why? If nay, please recommend another and explain why.
Cheers.
Obe.

 

If this is the Linux model, there's no point running Firestarter and there is no packet filtering support in the Linpus Linux kernel, so it won't work.

The Linpus people obviously decided that users did not need firewall support. To be sure, it's less of a problem with Linux than with Windows, but quite a few users are miffed about the lack of firewall support.

My suggestion would be that you bug Acer's support line about this. They really ought to make something available as an update.

 

kevin, maybe you can explain to me why a firewall is even necessary? With Linux, incoming ports are only opened if a service/server is running on the box that requires it AND most services allow one to lockdown who has access to the service if one chooses to do so. Many services will use a tcpwrapper and hosts.allow and hosts.deny will do the job. So what will iptables do that can't be done another way?

Thanks

Cheers.

 

I'm not wholly convinced that it necessary. The lack of firewall support on Linpus isn't keeping me awake at night.

But I think the potential problem is people installing apps which they don't really understand, or know how to configure properly. Of course, Linpus (by default) is not subject to real rogues like sendmail, but that doesn't stop people installing such things. Then there's the possibility of exploiting defects in, e.g., a web browser's JavaScript or Flash or Java implementation. Some of these things _can_ open listening sockets, and we rely on the underlying implementation to prevent them doing so in inappropriate circumstances. Then these's the possibility of poorly-designed or poorly-configured pre-installed software. For example, the X server on my Linpus machine is listening on 0.0.0.0:6000. It does accept connections from outside the box, and I dont' really know why it needs to.

I don't think it's a huge problem, but I really don't think we ought to be complacent about it.

 

x11 6000/tcp x11-0 # X Window System
x11 6000/udp x11-0
x11-1 6001/tcp
x11-1 6001/udp
x11-2 6002/tcp
x11-2 6002/udp
x11-3 6003/tcp
x11-3 6003/udp
x11-4 6004/tcp
x11-4 6004/udp
x11-5 6005/tcp
x11-5 6005/udp
x11-6 6006/tcp
x11-6 6006/udp
x11-7 6007/tcp
x11-7 6007/udp

From my /etc/services on my Ubuntu box.

Probably has to do with remote running of X, such as in ssh -X?

Cheers.

 

Could be -- I don't know, really. What I do know is that port 6000 is open to the outside world -- maybe it needs to be, maybe it doesn't. But it is. I could probably find a config file somewhere to close that port off, but I'd have to spend some time on Google, most likely

So far as I know, the stock Linpus does not expose any other ports. I am less confident about the other software I use. I don't routinely check to see whether this software opens ports that ought to be closed off. Perhaps I should... I know that there are a lot of people out there putting a lot of time into finding security holes in popular software like Firefox. IP filtering certainly won't protect you against all possible threats, but it will protect you against _some_.

I suspect that straightforward use of hosts.allow and hosts.deny isn't going to help very much, for two reasons. First, the AA1 doesn't run tcpd or inetd, and any software that opens a port maliciously is not going to respect the settings in hosts.deny. In fact, my experience is that a lot of software that opens a port non-maliciously doesn't respect them either -- it relies on the OS to do this and, in the case of Linpus, the OS doesn't do it. Second, these files are essentially static, so they're going to get in the way if you move your computer from network to network.

I don't want to spread alarm -- I don't think that the lack of packet filtering on Linpus is a serious cause for concern. But the Linpus people _could_, with very little effort, have provided a basic firewall config which had a default of blocking all incoming connections, and all outgoing connections on ports > 1024. This would be completely invisble to 99% of users 99% of the time. Although the improvement in security would be rather modest, since it comes at no cost I still think it ought to have been provided.