Jun
30
default iptables [May 2005]
On the other hand, by default there are no services listening on the network interface - there are some listening on loopback but they can only be reached from the machine itself.Actually, loopback services can be bounced attack from the local subnet, if you’re very careful. But defending against this is somewhat complicated, and the attack is complicated itself. It’s not worth worrying about, and the kernel includes a piece of code called rp_filter to protect against it.
Exploiting these should they surface would not be a trivial task eitherNonsense. Buffer overflows aren’t complicated. Exploiting it to something beyond a DOS would be difficult, but that’s because of where the code is located, not because of the exploits.
Now, if you wan to be really paranoid, you could drop/reject everything coming in before it even reaches IP stack.And it really would be paranoid, as it’d be completely and totally useless. If you block everything you can talk to no one. There’s an eaiser way to do this: disconnect the network cable.
So, from a pure security standpoint it boils down to what part of Linux kernel code you trust more - IP stack or netfilter.Netfilter is effective part of the IP stack. It’s a hook mechanism for code like iptables to do it’s work through, no more, no less.
Pretty tough call to make.There’s no call to make, as you take both or leave both, more or less. If you enable iptables and use it as a firewall, you get the full IP stack, netfilter, and the iptables kernel bits in kernel. There’s no way to change that.
Seeing as there’s not much you can do against vulnerabilities in those pieces of code (besides fixing the bugs in the first place) they’re simply not worth worrying about.
Depending on how your upstream router is configured, pinging you and getting no responce could actually mean that you are alive because otherwise upstream router would send ICMP host unreachable back. Actually, about half of the routers on the internet will do it.You can’t prove that a host is a live based on that.
The point is I was trying to make is “why bother?”Depending on his needs, he may need it. Ubuntu’s default configuration admittedly doesn’t require one, but lots of configurations beyond the default will.
There is a bazillion other reasons when you do want to have a firewall running. The problem for any distribution that wants to enable firewall by default is that it would have to come up with default set of rules that would seem “reasonable” for most people.A drop-ALL incoming policy and ask about outgoing seems to work very well for Windows XP SP2. The problem is that Ubuntu currently has no trivial way to ask for permission to open firewall ports.
