Linux and firewalls

Thanks Duane (and everyone else who replied).. No, I do not have any kind of router here. Sounds like I should get one perhaps. That would probably be the safest thing I guess.. And easiest. A $50 expenditure is no problem..

I have heard some good words from others about SuSe also. Thanks for confirming that..

For some reason or other I was under the general impression that Linux was more immune to the usual threats from the internet, but maybe that was a silly or juvenile belief I had. Most likely... :) I'm not paranoid and don't worry much about hackers or intrusions because in 3 years I've never seen much trouble in my logs here with Win2k, but I'd hate to have other systems connecting to me and passing viruses or whatnot, if that's even possible..

Since you are wanting to learn linux and will be running daemon/services then you do need to run a firewall. What you should do is do the install, enable the firewall to allow new and established outbound connections and block new inbound ports. Then connect to the network and get your updates.

All OS's require some form of protection from the installer and person working on the system in addition to Internet based threats. As a general rule of thumb, you can safely install/config/test anything that sits behind a NAT router - something you can purchase for about $50 at most computer sales places.

Kerodo wrote in news:MPG.1c0bd135b6632e82989684 @news.west.cox.net:

I thought you had a Linksys NAT router? You don't need a FW enabled on the Linux machine because you have the NAT router. I have no FW enabled on my Linux box. You know you can purchase SuSe Linux 9.1 Pro for I think it cost $29.00 big ones and it comes with SuSefirewall112. I looked at the FW briefly and it looked to be top of the line, but is not enabled due to the Watchguard FW appliance sitting there. The install comes with 5 CD's and two decent books a User Guide and Admin Guide to learn SuSe and in general Linux. I also have two supplemental books "Linux in Easy Steps" and 'Mastering Linux'. There is also support for SuSe Linux through Novell, which I have had to call twice and they came through like a champ. The Novell support is for the installation and setup which is free. You need help on more advanced stuff, and then you got to pay. Unfortunately, I have not had to the time to really lock in on Linux and learn it like I would like, because of things I need to do with learning to use MS .Net, but I'll get there.

Duane :)

No. The firewall placebos you know from the windows world do not exist for Linux and it is good that that do not exist since the are unnessary crap.

Complete nonsense. A locked down box is enough. Anybody who is not able to lock down a box must not run public services.

What he shall do is start only the services he wants to offer. It's that simple. After that he should check the bindings of those services. After that he might like to use tcp Wrapper functionality to restrict access to certain services. And if all that is not enough he might perhaps think about using packet filtering (iptables). If he decides to use it a seperate filtering box in front of his box(es) is the far better place to to that.

You have no clue and you obviously have not installed even one Debian Linux box during the last 2-3 years. BTW: Debian installs security fixes automatically during the installation if you install from network.

Wolfgang

The above is a fundamental flaw in your idea - the chap want's to learn, which means he won't be setting up a secure system by default, is prone to making mistakes, etc...

The idea that he uses a simple NAT box in before his internet connection means that he can learn without much fear of being compromised until he's secure (knowledge) enough to put it on-line.

WG, I did read it, but except the the very last part it seemed to be saying you don't need a NAT box or anything in front of it.

I agree, I don't trust NAT, but it's cheap, does a good job at keeping things out, and most people can install a simple NAT box without a degree in astro-physics.

I srongly recommend _reading_ my posting.

BTW: I trust packet filtering more than NAT.

Wolfgang

No doubt that the router is a good choice.

The distributions like SuSe makes it easy to install Linux and set it up and become productive using Linux quickly and it has help support. You know I had someone have the nerve to talk about Linux is not a point and click world. Well if Linux wants to really compete and get a broader user base, then it had better become a point and click world, which I do see that is just that a point and click world with the ability for the user to go to the Command Line like MS if need be.

It's more immune because it's being used less than let's say MS products. But now the average Joe Blow can install Linux with SuSe Linux and other such distributions. And Linux is open to and is being attacked. And the clueless on the MS side will carry that clueless ness to the Linux side and be attack just the same. The patches for a while were popping out like pop corn like MS. So, I enabled the Auto Patch checking feature for critical Linux updates at the SuSe site just like I do for the MS machines. I have not seen any come across in a while. ;-)

Linux does have security tools like an AV and other security things that can be installed. I'll have to ask again what those are. I should at least install the AV and run it on a routine basis. ;-)

You should check out SAMBA that's on the SuSe distribution that allows Windows and Linux machines to share resources.

I like Linux very much as I do MS, but Linux is not immune to anything and it's hype. ;-)

Duane :)

I've been looking at Mandrake, SUSE and RH FC3 over the last couple months and here is what I've found:

SUSE 9.1 Personal - installed perfectly on my laptop and three other computers, including a Dual P3 server. Worked like a champ. Did not like accessing shares on my 2003 server and once I got it working and did an update of all packages it broke the access to the shares - I set it aside. I found the KDE interface to be very slow on every computer.

Mandrake 10.0 - Installation went smoothly, but I had to edit the KDE Video configuration files on each install or KDE would not run - it was trying to use some weird resolution (1690x480 I think). I found the files (reading from others examples) and change them to 1024x768. KDE is very fast, much faster than SUSE 9.1. I tried to get Apache2 working using the GUI interfaces and failed.

I'm not a Linux guy, I was looking only for a small desktop replacement for people that run MS boxes in an office. I was planning on using Cross-over to run Office XP on all platforms.

I'm just getting to RH.

As for security - nothing is secure, only less susceptible. Linux has many exploits, there are updates and patches all the time. The thing that Linux has going for it is that there is less nodes to attack, presents a smaller target, and "in general" has a much better security record because of the complete difference in the security structure. You also don't have to worry about MS targeted viruses, but you do have to worry about unpatched or improperly configured linux systems that are exposed to the public.

The router will allow you to PORT-FORWARD things inbound to the box to test and then to disable when you are done. This also leaves you playing in your own network and not on the net until you are ready with your own skills.

I found that the Pro version doesn't seem to have that slowness you speak of with the KDE, at least I have not noticed it. I have not gotten the Windows XP machines to access the Linux machine, but I had no problems in accessing the Windows machine from Samba and pull files across. I know it's being done from Windows to Linux, but I have not gotten around to figuring it out. That also includes making Linux talk to the printer on the print server as well. When I called SuSe support about connecting to the print server, they wanted $$$$. The Pro version of SuSe does cost a few dollars more.

I frequent another NG where there is always a thing between the MS and Linux users. I do have posts with links made to me or see other posts with links about the simple attacks on Linux that will catch the clueless through email or using the browser. I had a post made to me about how the source code for Linux is readily avaliable for Linux. They don't seem to be coming after Linux like they do with MS at the moment. I think if they do start coming after Linux like MS, it will be interesting to see what happens.

Duane :)

Although they pretty much just find MSWindows viruses that are stored on your file system.

The reason you want a stand-alone box is to protect you while you learn. You've said you want to learn, and this often means setting up servers of one kind or another. You'll probably make some inital mistakes, and the external firewall is to prevent the Internet from eating your shorts, while at the same time, allowing you free access from other computers on your LAN. Once you learn "what to do", the external firewall becomes moot.

The first two sites have information (and downloads) of around 100 different Linux distributions.

Viruses are virtually unknown (though a few, mainly demonstrations, exist), and trojans are somewhat less rare (though not a common problem).

BINGO!!! The reason windoze of all variants is infested with viruses, trojans, spyware, and so on is that stupid people will install anything mainly because they don't understand what they are doing, and don't want to (or can't) learn. *nix (meaning UNIX in general, and all of the clones like the various BSDs and Linux) is more resistant to problems, but any operating system can be made unsafe if you try hard enough. Part of the immunity comes from having users who are willing to spend some time to learn what they are doing.

There are over 480 documents (total about 4 million words - about 12,000 pages) telling you HOWTO do certain things.

There are about 20 books you can download for free - several over 400 pages long. Some of them can be bought in bookstores if you want the paper version.

There are 17 "official" newsgroups in the "comp.os.linux.*" hiarchy, and an untold number of unofficial or alternate groups.

[compton ~]$ grep -cw linux .newsrc 871 [compton ~]$

My ISP's news server (giganews) has 871 - some of which might actually be interesting (I scan 29 every day, and actually read 9).

Old guy

What? They are and will be stupid people using Linux too. I was ignorant on how to protect the MS O/S like many others a few years back, and I had many years of computer expertise but was unaware of the dangers of the Internet and how to protect the MS O/S. But I took the time to learn how to protect the O/S and I have no problems with it. It's not that there are stupid people using MS. MS's user base is vast and many users simply don't know how to protect the O/S or how to even go about finding the information to protect the O/S. That information must be sought out and found. And one does need a little savvy on how to protect the MS O/S make no mistake about that. Linux has somewhat been protected from these types of users. And still at this particular time, one needs a little savvy to even seek out and install Linux. But those days are coming to an end due to distributions such as SuSe that's sitting on store shelves along with with MS and others and it's cheap in price compared to the others and is a viable O/S. The clueless will be coming after Linux if companies like Novell and others seeking that all mighty $$$$ have their way and can push Linux in front of those users and make the install easy and present books on the how to(s) with Linux. They will know just enough to be armed and dangerous and will be attacked on the Linux platform. And Linux is no bed of sweet roses and is riddled with yet to be discovered holes just like MS, MAC OS and the rest of the crap that's out there.

Duane :)

In article , snipped-for-privacy@Notme.com says... [snip]

Duane, having been working with computers since the late 70's, I can assure you that Linux will not be the common desktop for most users for many years to come. The reason is that it's not ready for the typical home user due to the lack of support by hardware/software vendors and due to simplified use features.

I loved the way SUSE installed, but it was slow, and was not easy for my mother-in-law to install a printer from. In XP, since she had already used it at the office, it was simple for her to get the printer working.

Once the major nix players settle on interface standards it will start making larger inroads into the homes, until that time it will be used by admins, tinkerers, developers, and those types on a normal basis, the typical home user is not ready for it.

It will happen and the improvements will be made to make things easy because companies are starting to market Linux. They want that $$$$$. The price of MS products is too much and it needs to be driven down by good competition in the market place.

Duane :)

Well, I did go ahead and install Debian here before I read the rest of the replies in the last day or so. I became frustrated with it almost immediately.

I resized my Win2k partition with Partition Magic and that went well enough. Then I booted with the Debian disk and started the install and that went fairly well at first also. However when it got to the point where it was supposed to install devices and network stuff, it failed to recognize my SMC USB network card. I tried playing with a few things and installing other card drivers, but everything failed. I couldn't get past that point, so I was basically hosed before I even got started.

I'm sure it must be possible to configure somehow, but I ran out of patience fairly fast. That's a little unusual for me, but for some reason things didn't look good.

I think I'm spoiled by the MS products, which generally install and detect everything without any problems. I was expecting a similar ease of installation with Linux, but not with Debian at any rate. Perhaps the others are better.

So, for the moment I've gone back to Win2k and done a fresh reformat and install tonight and installed all my usual apps and so on. I guess for now I'll just stick with the MS OS that I'm so familiar with. Maybe I'll buy one of the other Linux packages at some point in the future and try again, most likely after I buy a router first.

Thanks for all the replies and information from everyone. It was very helpful and interesting. :)

Kerodo wrote in news: snipped-for-privacy@news.west.cox.net:

Well, you cannot go wrong with SuSe 9.1 Pro or Personal. At least Pro will detect the MS O/S that is on the machine and do the partitioning during the install process it seemed on the fly and allow you to have Linux and MS on the machine at the same time. I here that it's not wise to have MS and Linux in a dual boot situation but I don't think you'll have a problem with SuSe.

I don't know about the USB network card as SuSe didn't pick-up the ZIP drive on the machine that MS had no problem Win 2k or XP Pro with installing. I'll say the SuSe had a lot of drivers in place. I do have SuSe standalone on my old Dell desktop machine. And the thing with SuSe is that you can pick-up the phone and call Novell for free help with the installation and setup.

Linux would not be on a machine of mine, if I had to go out of my way to do it. ;-) But SuSe was a piece of cake like MS.

Duane :)

SuSe sounds good Duane.. If it can install without me having to edit and play with a thousand files then that would be excellent. I'll keep it in mind when the time comes to try again. That's what I'm looking for.

Perhaps Debian was just a bad one for an inexperienced person to try first. I did download and run Knoppix for fun before I tried installing Debian. Knoppix is a Linux of about 2 gigs compressed onto a 700 Meg CD that runs from the CD so you don't have to install it or anything. To it's credit, it detected all my hardware and network card without any problems at all, and ran right out of the box. That's how I thought Debian would be and that's why I tried it. Unfortunately you can't do much with Knoppix since it's just running from a CD. But it did work flawlessly on my hardware.

I'll try again, maybe in a few months...