Question:
What's debian's(or all other distros') default firewall?
CREdulous
2013-12-09 09:12:38 UTC
okay I googled some iptables... and hard to understand what they are talking about.
but what I am wondering is, if it has to be installed..(sudo apt-get iptables) then what's default firewall for the first place?
Four answers:
Greywolf
2013-12-09 09:42:21 UTC
The actual firewall is iptables, which is built-in in every Linux distro. However if you want to fiddle with the settings, you will need a GUI - people often recommend Firestarter as easy to use for a beginner, and it is usually already installed. If not, use Software Manager to install it.
David
2013-12-09 18:39:57 UTC
HI,



Iptables is the default firewall for distros. however you can use third party firewalls depending on your choice of distro. Similarly Squid is the proxy server for distro.If you have to do sudo apt-get then iso you are using have it explicitly removed.Hope this answers your question.



Good Luck.
adaviel
2013-12-09 19:12:15 UTC
iptables for IPv4

ip6tables for IPv6. You need both if you have both IPv4 and IPv6 running.

Those are stateful port-and-address based firewalls, not smart content-aware SSL-decoding ones.



They are both a loadable kernel module and a command-line program with some glue (start/stop/save/panic). In RedHat the module is installed by default and some default rules are created at install time. When you add programs with the installer (yum/rpm), e.g. a webserver (httpd), it punches holes in the default ruleset for you



By default anything started on your computer is trusted, and anything started remotely is not, except for the afore-mentioned holes. So all it's protecting you against is a rogue server installed by someone who hasn't got root access, like an extra webserver listening on port 9000.

It won't protect you against password-guessing on SSH, since sshd is an installed service (you should block password root logins in sshd.conf), and it won't protect you against SQL injection on a webserver since it's not smart. if you want smart, consider an IDS like Snort.



Of course you can add extra rules, like restricting services to trusted subnets or dropping annoying scanner addresses.
BigE
2013-12-09 21:43:53 UTC
I'd use shorewall. It is way more terse, and generates the iptables for you. You just have to define the zones and some rules.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...