don't you pretty much have to inspect packets statefully to perform successfull nat?Harold wrote:I like [url=http://www.netgear.com/Products/RoutersandGateways.aspx]Most routers only do NAT.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Firewall or not
I've been reading this thread carefully because I feel pretty dim when it comes to networking. My Linux awareness is really coming along, but whenever people start talking about networking, servers, routers, iptables, I sort of zone out. I don't do it on purpose, but somehow the information doesn't stick. Anyway, I don't want to complicate the thread (and I should probably start another one), but I have a question to ask in relation to this discussion: Should wifi laptops be considered risky and should they have serious firewalls?
The question is prompted by my situation. I have a laptop that I don't use for networking at home, but I plan on buying a router soon. Still, networking begins automatically on boot and I'm sometimes just too busy to shut it off. It never occurred to me to put a firewall on it (because I never really think about network security), but now I'm thinking it might need a firewall even with a router? Is this not right?
Also, someone mentioned above OSS/Linux-friendly hardware: what routers are in this category? Finally, you guys have mentioned iptables a few times: where would someone like me read about iptables to understand how they work and how to edit them (I think) to build a custom firewall?
This all seemed connected to this discussion but I didn't mean to be rude by asking more questions in this thread.
The question is prompted by my situation. I have a laptop that I don't use for networking at home, but I plan on buying a router soon. Still, networking begins automatically on boot and I'm sometimes just too busy to shut it off. It never occurred to me to put a firewall on it (because I never really think about network security), but now I'm thinking it might need a firewall even with a router? Is this not right?
Also, someone mentioned above OSS/Linux-friendly hardware: what routers are in this category? Finally, you guys have mentioned iptables a few times: where would someone like me read about iptables to understand how they work and how to edit them (I think) to build a custom firewall?
This all seemed connected to this discussion but I didn't mean to be rude by asking more questions in this thread.
eraker,
As you can see from the discussion, there are differing opinions on the need for a firewall if one is getting their net connection from their router. My choice is to use one (and it might be good for any time when your laptop is connected to an unfirewalled Internet feed or if/when you are using dialup) but it's true that it doesn't stop outgoing connection requests if I let my server be "owned". Take note of the fact that you can (and will, I hope) setup the firewall on the router to close those incoming ports that you don't need. You can (and will, I hope) set up your wireless communications to be encrypted between the router and laptop, therefore your level of safety comes from the router's firewall. Naturally, nothing can ever be 100% safe if it is broadcast by radio, as I'm sure you realise from a previous post.
There is lots to read about iptables, you could start with the iptables manual and/or maybe google for something a bit easier to understand.
There are a few apps in the repo which can help you with configuration; firestarter; firehol; shorewall; and each of them has it's own documentation. I think guarddog is a KDE app if you have KDE on your system. If I remember correctly, as an example, just the act of installing firestarter sets you up with basic protection and adds itself to your runlevels.
By the way, you could setup your system to not start the network automagically, then purposefully start it when you need it, that might help with you being "too busy to shut it off" because, if you need it, you can't be too busy to start it. Alternately, you could setup a different runlevel without the network start and init into the appropriate one for what you want to do.
[edit: correct misspelled guarddog]
As you can see from the discussion, there are differing opinions on the need for a firewall if one is getting their net connection from their router. My choice is to use one (and it might be good for any time when your laptop is connected to an unfirewalled Internet feed or if/when you are using dialup) but it's true that it doesn't stop outgoing connection requests if I let my server be "owned". Take note of the fact that you can (and will, I hope) setup the firewall on the router to close those incoming ports that you don't need. You can (and will, I hope) set up your wireless communications to be encrypted between the router and laptop, therefore your level of safety comes from the router's firewall. Naturally, nothing can ever be 100% safe if it is broadcast by radio, as I'm sure you realise from a previous post.
There is lots to read about iptables, you could start with the iptables manual and/or maybe google for something a bit easier to understand.
There are a few apps in the repo which can help you with configuration; firestarter; firehol; shorewall; and each of them has it's own documentation. I think guarddog is a KDE app if you have KDE on your system. If I remember correctly, as an example, just the act of installing firestarter sets you up with basic protection and adds itself to your runlevels.
By the way, you could setup your system to not start the network automagically, then purposefully start it when you need it, that might help with you being "too busy to shut it off" because, if you need it, you can't be too busy to start it. Alternately, you could setup a different runlevel without the network start and init into the appropriate one for what you want to do.
[edit: correct misspelled guarddog]
routers are generally fine with linux, they are usually configured through simple (and generally firefox friendly) web interfaces and connected over a standard pc ethernet linkeraker wrote: Also, someone mentioned above OSS/Linux-friendly hardware: what routers are in this category?
its the usb adsl modems that you have to watch, theese can be a real pita to get working with linux.
google for iptables howtoeraker wrote: Finally, you guys have mentioned iptables a few times: where would someone like me read about iptables to understand how they work and how to edit them (I think) to build a custom firewall?
Not really, they are 2 different thing.plugwash wrote:don't you pretty much have to inspect packets statefully to perform successfull nat?Harold wrote:I like [url=http://www.netgear.com/Products/RoutersandGateways.aspx]Most routers only do NAT.
NAT is really not a firewall. What NAT does is handle ip addressing. It does 3 bacic things:
1.hides real ip address
2. allows use of internal ip addresses
3. can combine multiple connections into 1 connection, such as using multiple isdn connections.
SPI or Stateful Inspection has several levels of operation, not all are available in all firewalls or routers, and not all routers have SPI. Most home router use "SPI" on a tiny level in that the destination is read from the packet headers so the packets can be routed to the correct local addresses. But that usually as far as it goes on a home router and is actually called packet filtering.
Real SPI can iinspect the headers, the frames and the frame content and by uising a rules table determine whethor or not the packets are allowed locally or externally (in or out traffic).
Yes, to be precise, some forms of packet inspection are necessary for NAT to do it's job, but usually only the minimal in home routers.
If your on the lookout for a Router then I can recommend Draytek.
They are a bit more expensive that your normal router, but last time I checked they come with a lifetime warranty and excellent security features.
And as far as the firewall question is concerned, I would never run a computer without one. I have two, my routers firewall and iptables on my PC. Learn to setup iptables manually, as you learn a lot in the process.
Its safer to be paranoid.
L8rs
They are a bit more expensive that your normal router, but last time I checked they come with a lifetime warranty and excellent security features.
And as far as the firewall question is concerned, I would never run a computer without one. I have two, my routers firewall and iptables on my PC. Learn to setup iptables manually, as you learn a lot in the process.
Its safer to be paranoid.
L8rs
RecoilUK
One way you can test is to go over to grc.com and run it's shields up. This will show you what is going on with alot of ports (open|closed|stealthed).Anonymous wrote:Yea I did that right at the begining but then was told that it was junk and I really didn't need it if I had iptables installed. I looked and I do have iptables installed but not sure if it's doing anything for me or not?
I just got a Netgear router. After looking around, I discovered that Radioshack had a pretty inexpensive one. I set up the router not to broadcast the ssid, to run its firewall automatically and I gave it the mac address of the ibook and told it to only use that wireless node. I also put firestarter on here, but I don't really know how well it works. It tells me that there are never any serious attempts at intrusion, but I don't know enough to know if that's true.
Anyway, thanks for your suggestions.
Anyway, thanks for your suggestions.
firewall Yes !
eraker wrote:
>>
Should wifi laptops be considered risky and should they have serious firewalls?
>>
Yes ....
As for understanding iptables, example scripts are a good start. You can use them as a template and just strip them down, and edit to reflect your own rules. Run the script after you run the original, or on top of any auto set up via a gui.
I learnt a lot from a script called ...
'rc.firewall'
which i used as described above.
A goodle on that does bring up a few returns but the version i use, from
http://projectfiles.com/firewall/
while google returns a link, i couldn't get through to the site ???
So i'm not quite sure whats happening there.
http://www.faqs.org/docs/iptables/examplecode.html
The above looked like a reasonable sample script.
Also, a Guarddog config some one posted once proved to be very helpfull as well.
So thats my suggestion. Use the front ends, like Guarddog or whatever feels best, and then study the config it generates. Stripping out the rule sets, parts, that are relevant to your online situation.
And do that in conjunction with the man pages, and any other documentation you have down loaded.
Including a visit to 'netfilter.org'.
A study of the man page will show that iptables is a very simple configuration really.
iptables is an external facility to the kernel, and so needs to be included via a package install, or directly from netfilter.org. The kernel just provides the required hooks that make the facility available. So keeping up to date will require either a package update or a direct up date.
Run a snifer ... observe ...
jm
>>
Should wifi laptops be considered risky and should they have serious firewalls?
>>
Yes ....
As for understanding iptables, example scripts are a good start. You can use them as a template and just strip them down, and edit to reflect your own rules. Run the script after you run the original, or on top of any auto set up via a gui.
I learnt a lot from a script called ...
'rc.firewall'
which i used as described above.
A goodle on that does bring up a few returns but the version i use, from
http://projectfiles.com/firewall/
while google returns a link, i couldn't get through to the site ???
So i'm not quite sure whats happening there.
http://www.faqs.org/docs/iptables/examplecode.html
The above looked like a reasonable sample script.
Also, a Guarddog config some one posted once proved to be very helpfull as well.
So thats my suggestion. Use the front ends, like Guarddog or whatever feels best, and then study the config it generates. Stripping out the rule sets, parts, that are relevant to your online situation.
And do that in conjunction with the man pages, and any other documentation you have down loaded.
Including a visit to 'netfilter.org'.
A study of the man page will show that iptables is a very simple configuration really.
iptables is an external facility to the kernel, and so needs to be included via a package install, or directly from netfilter.org. The kernel just provides the required hooks that make the facility available. So keeping up to date will require either a package update or a direct up date.
Run a snifer ... observe ...
jm
Mac address filtering is good, however is not enough. Mac address can be sniffed by a "Black Hat" monitoring your wireless broadcasts fairly easily (If there is someone close to you trying to break in. How secure you are is also related to where you are and who your neighbours might be. For example, there are not a lot of people scaning around rural areas, looking to do bad things or break in, but in a city...)eraker wrote:I just got a Netgear router. After looking around, I discovered that Radioshack had a pretty inexpensive one. I set up the router not to broadcast the ssid, to run its firewall automatically and I gave it the mac address of the ibook and told it to only use that wireless node. I also put firestarter on here, but I don't really know how well it works. It tells me that there are never any serious attempts at intrusion, but I don't know enough to know if that's true.
Anyway, thanks for your suggestions.
Do I understand you correctly that you setup the router to only give out one DHCP address at a time to wireless? In theory then, if you are connected, it won't give out another address. I assume you use the web interface from your wired desktop system to turn off the radio in the router when you aren't using wireless. I'm fairly sure the netgear router has that feature. Doesn't it have a light on the front indicating wireless activity? You wouldn't want any activity if you weren't using it.
If your wireless Cardbuss card and router both have WPA-PSK ability then I recommend you use encryption for further safety.
Firestarter on your laptop (good idea as this will give you some protection when connected to someone else's router, which you don't have control of). Once installed, it adds itself to your runlevel (firestarter script) and thus starts each boot. It is not necessary to run the GUI on your desktop while you are working and no need to use the resources it consumes. But, to your question, yes, it's probably guessing correctly. There are always lots of connection attempts that are benign. The reason for that is too large a topic to get into in this, already long, post.