Re: firewall package for laptop wi-fi client

To: debian-user@lists.debian.org
Subject: Re: firewall package for laptop wi-fi client
From: "tv.debian@googlemail.com" <tv.debian@googlemail.com>
Date: Mon, 03 Jan 2011 12:28:25 +0100
Message-id: <[🔎] 4D21B2D9.3050501@googlemail.com>
In-reply-to: <[🔎] 20110103095545.GB3539@rlharris.org>
References: <[🔎] 20110103044227.GA2635@rlharris.org> <[🔎] 4D218609.4090705@googlemail.com> <[🔎] 20110103095545.GB3539@rlharris.org>

On the 03/01/2011 10:55, Russell L. Harris wrote:
> * tv.debian@googlemail.com <tv.debian@googlemail.com> [110103 09:24]:
> 
>> Hello, if you are looking for a graphical front end you can look at
>> gufw, firestarter and guarddog. For text based tools I ear good things
>> about shorewall.
> 
> I am looking for a package which is easy to configure, whether text or
> gui; in this respect firestarter looks good.

Any will do, they default to allow out going connections but block
inbound ones, sometimes with additional warnings/logging when a port
scanning pattern or brute-force attack is detected.

> 
> 
> 
>> But if you do only web browsing and email and don't run any
>> web-facing services you should be fine anyway.
> 
> I do not understand; what is a "web-facing service"?

Anything listening on a port that is designed to accept connections from
the "outside" (Internet). Could be any "server" like ftp, http server
(apache...). Usually you are fine in Debian unless you purposefully
install such a service and open the corresponding ports in your firewall.
> 
> 
> 
>> The major threats are web browser security holes (update often)
>> especially through flash and java plug-ins, and pdf.
> 
> Flash and java are in most web pages.  Does a firewall not protect
> against these threats? or are browser updates necessary even with a
> firewall?

Flash is everywhere, the plugin is a proprietary closed-source beast
known for being a security nightmare. Flash is also a power hog on
laptops battery so if you can live without...

Java isn't really common, but some sites requires to run java "applets"
to login, some offer games through java, you can live without a java (or
openjdk) plug-in more easily than flash.
Don't get mixed-up with javascript, which is a different technology. For
that one use a browser extension like "NoScript" which gives you sane
default and allows for better control.

> 
> 
>> Hosting windows virus in mails attachments can also be a problem if
>> you have win machines on the lan, virus scanner clamav can help
>> here.
> 
> This is a Window$-free environment.
Nice ;-)

> 
> 
> 
>> Firewall alone won't protect you from man in the middle and such
>> niceties on open untrusted networks.
> 
> Understood.  This need is for socializing around the table at
> StarBucks, Internet cafes, etc.  
> 
> Thanks.
> 
> RLH
>  

Best security is achieved though understanding what's running on the
machine, and how most common "threats" work.
By design open password-less networks are insecure, but the risk remains
low unless you are a known valuable target. The probability of someone
eavesdropping you passwords or stealing your laptop is higher !

I wouldn't do my internet banking/shopping over such a network though...

Reply to:

Follow-Ups:
- Re: firewall package for laptop wi-fi client
  - From: Andrei Popescu <andreimpopescu@gmail.com>

References:
- firewall package for laptop wi-fi client
  - From: "Russell L. Harris" <rlharris@broadcaster.org>
- Re: firewall package for laptop wi-fi client
  - From: "tv.debian@googlemail.com" <tv.debian@googlemail.com>
- Re: firewall package for laptop wi-fi client
  - From: "Russell L. Harris" <rlharris@broadcaster.org>

Prev by Date: Re: What happened to consolechars?
Next by Date: PDF viewer which supports scale-to-fit print (aka "lp -o fitplot")?
Previous by thread: Re: firewall package for laptop wi-fi client
Next by thread: Re: firewall package for laptop wi-fi client
Index(es):
- Date
- Thread