[gentoo-user] What if the firewall doesn't start?

[gentoo-user] What if the firewall doesn't start?

[Grant]

It occurred to me that if the shorewall firewall on my headless router
doesn't start for whatever reason, I'll be totally exposed.  Is there
a way to protect against that?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] What if the firewall doesn't start?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 641 bytes --]

On Sunday 25 February 2007 19:58, Grant wrote:
> It occurred to me that if the shorewall firewall on my headless router
> doesn't start for whatever reason, I'll be totally exposed.  Is there
> a way to protect against that?

Well, you'll get an error during boot that iptables did not come up.  I assume 
that shorewall is only run when you change the script and 
otherwise /etc/init.d/iptables is run as a default service after boot.  

Anyway, a closed port remains closed whether a firewall is running, or not.  
An open port is hopefully protected by decently strong passwds/authentication 
mechanisms.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] What if the firewall doesn't start?

[Grant]

> > It occurred to me that if the shorewall firewall on my headless router
> > doesn't start for whatever reason, I'll be totally exposed.  Is there
> > a way to protect against that?
>
> Well, you'll get an error during boot that iptables did not come up.

The machine is headless though.

> I assume that shorewall is only run when you change the script and
> otherwise /etc/init.d/iptables is run as a default service after boot.

Ouch.  No.  I'm running shorewall in the default runlevel and iptables
explicitly not at all.  I thought running shorewall was all I needed
to do.  Can you confirm that I should be running iptables in the
default runlevel and shorewall only when I want to update the config?

> Anyway, a closed port remains closed whether a firewall is running, or not.

I thought the firewall specified which ports to open/close.

- Gramt
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] What if the firewall doesn't start?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

On Monday 26 February 2007 00:28, Grant wrote:
> > > It occurred to me that if the shorewall firewall on my headless router
> > > doesn't start for whatever reason, I'll be totally exposed.  Is there
> > > a way to protect against that?
> >
> > Well, you'll get an error during boot that iptables did not come up.
>
> The machine is headless though.

I guess you could get it to mail you, or text you, but someone else has to 
advice as to how you set this up (in particular SMS texting).

> > I assume that shorewall is only run when you change the script and
> > otherwise /etc/init.d/iptables is run as a default service after boot.
>
> Ouch.  No.  I'm running shorewall in the default runlevel and iptables
> explicitly not at all.  I thought running shorewall was all I needed
> to do.  Can you confirm that I should be running iptables in the
> default runlevel and shorewall only when I want to update the config?

I don't want to panic you unnecessarily.  I do not know anything about 
shorewall and whether it takes over and runs iptables for you.

> > Anyway, a closed port remains closed whether a firewall is running, or
> > not.
>
> I thought the firewall specified which ports to open/close.

Yes, as an additional layer, with a fine degree of configuration on top.  Run 
nmap from another machine in your LAN and compare output with & without 
iptables.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] What if the firewall doesn't start?

[Grant]

> > > Anyway, a closed port remains closed whether a firewall is running,
> > > or not.
> >
> > I thought the firewall specified which ports to open/close.
>
> Not quite, but we might be running into terminology here.
>
> The app that is listening a port opens the port. This has nothing to do
> with the firewall. The firewall is simply an extra level of checks
> applied before the packet is allowed thorugh the firewall to be
> received by the kernel, in the same way that a bouncer allows or
> disallows the public to enter a club. If the bouncer is off sick, the
> public gets to walk through the door up to reception, assuming the club
> is open for business.
>
> What Mick was referring to is that if a service is running, it's still
> going to listen on it's port whether iptables is running or not. So, in
> the absense of iptables (i.e. your bouncer is off sick), you hopefully
> have a decent password strategy in use by whatever is actually
> listening on the box.

So as far as incoming connections are concerned, if there are no
listening applications, there is no need for a firewall?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] What if the firewall doesn't start?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1729 bytes --]

On Tuesday 27 February 2007 03:21, Grant wrote:
> > > > Anyway, a closed port remains closed whether a firewall is running,
> > > > or not.
> > >
> > > I thought the firewall specified which ports to open/close.
> >
> > Not quite, but we might be running into terminology here.
> >
> > The app that is listening a port opens the port. This has nothing to do
> > with the firewall. The firewall is simply an extra level of checks
> > applied before the packet is allowed thorugh the firewall to be
> > received by the kernel, in the same way that a bouncer allows or
> > disallows the public to enter a club. If the bouncer is off sick, the
> > public gets to walk through the door up to reception, assuming the club
> > is open for business.
> >
> > What Mick was referring to is that if a service is running, it's still
> > going to listen on it's port whether iptables is running or not. So, in
> > the absense of iptables (i.e. your bouncer is off sick), you hopefully
> > have a decent password strategy in use by whatever is actually
> > listening on the box.
>
> So as far as incoming connections are concerned, if there are no
> listening applications, there is no need for a firewall?

As I understand it, no.  However, a firewall is there to offer additional 
functionality and protection by logging packets, filtering the amount of 
incoming packets, proactively blocking some of these from coming in, etc.

After all you would be less inclined to allow a machine which has been 
scanning your server ports for the last 10 minutes to try to authenticate on 
a legitimate service port, right?

http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml

-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] What if the firewall doesn't start?

[Alan McKinnon]

On Tuesday 27 February 2007, Grant wrote:
> > > > Anyway, a closed port remains closed whether a firewall is
> > > > running, or not.
> > >
> > > I thought the firewall specified which ports to open/close.
> >
> > Not quite, but we might be running into terminology here.
> >
> > The app that is listening a port opens the port. This has nothing
> > to do with the firewall. The firewall is simply an extra level of
> > checks applied before the packet is allowed thorugh the firewall to
> > be received by the kernel, in the same way that a bouncer allows or
> > disallows the public to enter a club. If the bouncer is off sick,
> > the public gets to walk through the door up to reception, assuming
> > the club is open for business.
> >
> > What Mick was referring to is that if a service is running, it's
> > still going to listen on it's port whether iptables is running or
> > not. So, in the absense of iptables (i.e. your bouncer is off
> > sick), you hopefully have a decent password strategy in use by
> > whatever is actually listening on the box.
>
> So as far as incoming connections are concerned, if there are no
> listening applications, there is no need for a firewall?

Technically yes. In the real world, it depends. The theory will work if 
and only if you can absolutely guarantee that no listening service will 
ever be running behind that firewall, and that this will always be true 
from here on out till the end of time regardless of who has access to 
the machine.

That's a tall order, and leaves human nature out of it. You might 
install a listening app and leave it running in error without realising 
the impact of not having a firewall. Someone else might do the same.

Ubuntu takes the approach you just asked about and it mostly works well, 
especially for notebooks on a LAN behind a NATing gateway. If you are 
running a network with valuable private information on it, you might 
well prefer a belts and braces approach of having a mostly-closed 
firewall as well.

As always, the best solution will vary according to what *you* need

alan




-- 
Optimists say the glass is half full,
Pessimists say the glass is half empty,
Developers say wtf is the glass twice as big as it needs to be?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] What if the firewall doesn't start?

[Grant]

> > > > > Anyway, a closed port remains closed whether a firewall is
> > > > > running, or not.
> > > >
> > > > I thought the firewall specified which ports to open/close.
> > >
> > > Not quite, but we might be running into terminology here.
> > >
> > > The app that is listening a port opens the port. This has nothing
> > > to do with the firewall. The firewall is simply an extra level of
> > > checks applied before the packet is allowed thorugh the firewall to
> > > be received by the kernel, in the same way that a bouncer allows or
> > > disallows the public to enter a club. If the bouncer is off sick,
> > > the public gets to walk through the door up to reception, assuming
> > > the club is open for business.
> > >
> > > What Mick was referring to is that if a service is running, it's
> > > still going to listen on it's port whether iptables is running or
> > > not. So, in the absense of iptables (i.e. your bouncer is off
> > > sick), you hopefully have a decent password strategy in use by
> > > whatever is actually listening on the box.
> >
> > So as far as incoming connections are concerned, if there are no
> > listening applications, there is no need for a firewall?
>
> Technically yes. In the real world, it depends. The theory will work if
> and only if you can absolutely guarantee that no listening service will
> ever be running behind that firewall, and that this will always be true
> from here on out till the end of time regardless of who has access to
> the machine.
>
> That's a tall order, and leaves human nature out of it. You might
> install a listening app and leave it running in error without realising
> the impact of not having a firewall. Someone else might do the same.
>
> Ubuntu takes the approach you just asked about and it mostly works well,
> especially for notebooks on a LAN behind a NATing gateway. If you are
> running a network with valuable private information on it, you might
> well prefer a belts and braces approach of having a mostly-closed
> firewall as well.
>
> As always, the best solution will vary according to what *you* need

Very informative.  Thanks guys.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] What if the firewall doesn't start?

[Grant]

> > > > > Anyway, a closed port remains closed whether a firewall is
> > > > > running, or not.
> > > >
> > > > I thought the firewall specified which ports to open/close.
> > >
> > > Not quite, but we might be running into terminology here.
> > >
> > > The app that is listening a port opens the port. This has nothing
> > > to do with the firewall. The firewall is simply an extra level of
> > > checks applied before the packet is allowed thorugh the firewall to
> > > be received by the kernel, in the same way that a bouncer allows or
> > > disallows the public to enter a club. If the bouncer is off sick,
> > > the public gets to walk through the door up to reception, assuming
> > > the club is open for business.
> > >
> > > What Mick was referring to is that if a service is running, it's
> > > still going to listen on it's port whether iptables is running or
> > > not. So, in the absense of iptables (i.e. your bouncer is off
> > > sick), you hopefully have a decent password strategy in use by
> > > whatever is actually listening on the box.
> >
> > So as far as incoming connections are concerned, if there are no
> > listening applications, there is no need for a firewall?
>
> Technically yes. In the real world, it depends. The theory will work if
> and only if you can absolutely guarantee that no listening service will
> ever be running behind that firewall, and that this will always be true
> from here on out till the end of time regardless of who has access to
> the machine.
>
> That's a tall order, and leaves human nature out of it. You might
> install a listening app and leave it running in error without realising
> the impact of not having a firewall. Someone else might do the same.
>
> Ubuntu takes the approach you just asked about and it mostly works well,
> especially for notebooks on a LAN behind a NATing gateway. If you are
> running a network with valuable private information on it, you might
> well prefer a belts and braces approach of having a mostly-closed
> firewall as well.
>
> As always, the best solution will vary according to what *you* need

On more question, is default the right runlevel in which to run
shorewall?  It looks like it's one of the last services to start that
way.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] What if the firewall doesn't start?

[Dan Farrell]

On Tue, 27 Feb 2007 09:11:33 -0800
Grant <emailgrant@gmail.com> wrote:

> > > > > > Anyway, a closed port remains closed whether a firewall is
> > > > > > running, or not.
> > > > >
> > > > > I thought the firewall specified which ports to open/close.
> > > >
> > > > Not quite, but we might be running into terminology here.
> > > >
> > > > The app that is listening a port opens the port. This has
> > > > nothing to do with the firewall. The firewall is simply an
> > > > extra level of checks applied before the packet is allowed
> > > > thorugh the firewall to be received by the kernel, in the same
> > > > way that a bouncer allows or disallows the public to enter a
> > > > club. If the bouncer is off sick, the public gets to walk
> > > > through the door up to reception, assuming the club is open for
> > > > business.
> > > >
> > > > What Mick was referring to is that if a service is running, it's
> > > > still going to listen on it's port whether iptables is running
> > > > or not. So, in the absense of iptables (i.e. your bouncer is off
> > > > sick), you hopefully have a decent password strategy in use by
> > > > whatever is actually listening on the box.
> > >
> > > So as far as incoming connections are concerned, if there are no
> > > listening applications, there is no need for a firewall?
> >
> > Technically yes. In the real world, it depends. The theory will
> > work if and only if you can absolutely guarantee that no listening
> > service will ever be running behind that firewall, and that this
> > will always be true from here on out till the end of time
> > regardless of who has access to the machine.
> >
> > That's a tall order, and leaves human nature out of it. You might
> > install a listening app and leave it running in error without
> > realising the impact of not having a firewall. Someone else might
> > do the same.
> >
> > Ubuntu takes the approach you just asked about and it mostly works
> > well, especially for notebooks on a LAN behind a NATing gateway. If
> > you are running a network with valuable private information on it,
> > you might well prefer a belts and braces approach of having a
> > mostly-closed firewall as well.
> >
> > As always, the best solution will vary according to what *you* need
> 
> On more question, is default the right runlevel in which to run
> shorewall?  It looks like it's one of the last services to start that
> way.
> 
> - Grant
You could probably run it sooner, but it might try to bring up your
network interfaces before starting.  But, as long as the interfaces'
device nodes exist, whether or not the connection is up shouldn't
matter.  You could move it to the boot level, probably, if you were
worried about security while the computer boots. 

-- 
gentoo-user@gentoo.org mailing list