Re: Debian secure by default?
On Fri May 16 2008 19:39:27 lostson wrote:
> On Fri, 2008-05-16 at 19:09 -0700, Lee Glidewell wrote:
> > On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote:
> > "So... what does a 'personal firewall' actually do? Well, effectively it
> > listens on all the ports on your system. This provides no real additional
> > security over turning off the services that you don't use."
> > The nature and purpose of a "firewall" seems to be greatly misunderstood.
> > Personally, I think security vendor hype is as much to blame as naivete.
> So basically a firewall is useless ?
A firewall does not listen on any ports. (There may be windows products
which are sold as firewalls and which listen on all ports but they are not
The main function of a firewall is to limit access to open ports. If you
have no open ports the firewall is not limiting access. Some argue from
this that since a firewall appears to be superfluous, and since a firewall
is additional software and carries the possibility of additional security
bugs, that a personal firewall is worse than useless. However there are
two additional points to consider.
1) A firewall can block access to ports that are open that you don't know
are open. For example, ports opened by malware.
2) A firewall, if very carefully configured, can block unwanted outgoing
traffic. For example, a firewall might prevent malware from emailing
your email contacts and credit card details to a cracker. However this
is not easy.
Both of these considerations currently apply much more to infection-prone
Windows than Linux.
Personally, I use few firewalls these days on Linux boxes, and when I do
it is usually for some special effect related to VPNs rather than a
classical firewall limiting access to open ports. However I use a lot
of firewalls in routers, particularly to make it harder for malware to
send spam and to reduce the spread of malware infections between Windows
In a standard Debian workstation with no services listening you really
don't need a firewall today. This may change if Linux in the future
should suffer from malware like Windows does today. Linux is just as
susceptible as Windows to a trojan that tricks people into running a
program that mails out all their email contacts, or all strings that
match a credit card number regex.
If you start a service - Apache or FTP or anything else - then you are
responsible for securing it, whether by passwords or certificates or
firewalls or otherwise. It's easy to start a service. It's not easy
to secure a service. Don't start a service until you know how to secure
it, no matter how easy is. This applies to all OS's.