firewall useless for puppy

[Bruce B]

It is your game. You set the rules. You did it all by yourself.

I do not want "People say you can do this..." kinda
answers or philosophical answers . . .

When challenged for technical specifics, concerning this so called "waste of
resources", you seem to go to la la land. Read below.

. . . the waste of resources is more of an expression than a
technical thing.

If it is OK for YOU to use expressions to substitute for technology, I feel
inclined to support anyone who does the same.

~

[aarf]

I am under the impression that this site nationmultimedia.com can in conjunction with opera and flash, corrupt partitions and thus bring down puppy. It has in the past done that many times. Firewall is not stopping at all.

[Bruce B]

I am under the impression that this site
nationmultimedia.com can in conjunction with opera and flash, corrupt
partitions and thus bring down puppy. It has in the past done that many
times. Firewall is not stopping at all.

When you request something, the firewall anticipates a response and
regards it as authorized, unless you had a unique configuration.

If you don't request it, then the incoming is unauthorized and blocked.

I just visited the site. I suppose on next boot I'll find out if I have an
partitions.

~

[Bruce B]

I'm more concerned about outgoing than I am incoming . . .

Myself included

. . . so at the moment I have I think nine apps blocked from accessing the net.

Please tell, in detail, how do you block apps?

~

[sickgut]

dunno how many times i say this it doesnt seem to make any difference.
if a program is useless its just wasting space/ resources. I dont care how many.
its in the range of no more than a MB or 2 of ram once loaded. To put that into persepective this is a distro that tries to save 1 and 2mb in iso size etc by stripping out stuff as much as it can and the firewall is using 1.5% or so of the total ram used once booted up.

My original post is easy enough to understand. Ive replied to the " define the resources yourself..." posts. So now for the 443223th time im saying the amount of resources isnt the point. If a program is not doing anything worth while then the bits/ bytes whatever its taking up in ram isnt doing anything usefull.

Next person who challenges me to find the exact resources it uses ill simply use the same stupidity back at them and say that you should prove that the firewall is not using resources and to define exactly how much its not using.

[Bruce B]

dunno how many times i say this it doesnt seem to make any difference. if a program is useless its just wasting space/ resources. I dont care how many.

Is it a program?

~

[Bernie_by_the_Sea]

. . . so at the moment I have I think nine apps blocked from accessing the net.

Please tell, in detail, how do you block apps?

Backing up, earlier I wrote:

My firewalls both in Windows and various Linux distros both allow and block certain apps and certain IPs. I'm more concerned about outgoing than I am incoming so at the moment I have I think nine apps blocked from accessing the net.

The nine blocked are in Windows, not Puppy. I use three firewalls in XP and I block specific apps with Ashampoo. It has a nice gui, doesn't interfere with other firewalls, and is ultra-simple to use.

In Puppy, it's not simple at all especially using command-line iptables and especially when you’re basically ignorant about using iptables. All my outgoing blocks in Puppy are merely experiments since there's nothing that needs to be blocked. I block apps by the ports they use. Right now I'm playing around having cups (port 631) blocked but you can block other ports/apps such as ssh (port 22) and samba (ports 137,138,139). I'm playing with cups since it's easy to confirm a printer is blocked. Who knows, maybe somebody doesn't want their kids in another room using the printer.

Puppy's firewall uses between 1% and 2% of CPU and it uses over 1% of RAM. Puppy doesn't need a firewall but old habits are hard to break.

[r1tz]

Getting attempts to force into sshd/servers are very common. Many people run scripts to run through a list of IP address to... ...

Using firewall to block others is fine if you are only running sshd. but you did mention webserver so i wrongly assume that you meant hosting it with the same computer. becasue if you use firewall to block those IP, they wont be able to veiw your webserver.

Im not saying you are wrong, just different ways of doing it.

As long as you use a strong password, you should be fine.


This would be a case of Convenience VS security.


Bruce B, imo firewall is a program. It is a program design to follow a set of rules to allow/block packets. The set of rules might be block packets from port 1-100 or a range of IP or some complicated set of rules. but still, it is a program.

I think that firewall is necessary.
The chances you get attack are very low(really very low). It is not too low either. Better to be safe than to be sorry.

Well... you wont need firewall if you don't have sensitive info in your computer and you dont use a savefile. In this case, firewall is really useless.

[don922]

I am under the impression that this site nationmultimedia.com can in conjunction with opera and flash, corrupt partitions and thus bring down puppy. It has in the past done that many times. Firewall is not stopping at all.

Since The Nation is one of the leading english language newspapers in Thailand, I have read it everyday on the internet for the last three and one half years. I use firefox on puppy and I have never experienced any problem with The Nation.

[Bernie_by_the_Sea]

I use firefox on puppy and I have never experienced any problem with The Nation.

He did say "opera and flash," not firefox. Opera has a history of not working well with some versions of flash and flash itself has been known to do damage sometimes from an otherwise harmless site. Flash is inherently unsafe. I normally browse with flash disabled and turn it on only if there's something I think I absolutely have to see which is very rare.

I think it was a rival English-language newspaper in Japan that demonstrated the Opera/flash problem with nationmultimedia.com but I can't find the article.

[amigo]

"Is it a program?"
No it is not.

[mickee]

wtf does windows and osx have to do with puppy forum ? im not debating usefullness of firewall on windows only puppy. i suspect ppl who ask questions about windows on a puppy forum are mentally disabled in some way so it really doesnt matter what i type here in reply i doubt beem will understand it. he probably has a really huge forehead or has some gross disfigurement that interrupts his view of a screen when he types or doesnt understand english and has just copy and pasted random stuff in his post, maybe in an effort to impress other non english speaking people..

so no i didnt ask about windows and osx its a puppy forum. goto a windows forum and ask the question yourself if you think your doing the community a favour or need to answer a deep soul searching question such as that. i hear deep soul searching windows questions can change your view of the world in such a profound way you cannot explain it with words, so i will forgive you if you ask that question on a windows forum but cant quite put your answer into words when you go to explain your experience on this puppy linux thread.

i wish you all the best in life and hope you learn to live with or cure your current physical and or mental imparment.

One who purposely and deliberately (that purpose usually being self-amusement) starts an argument in a manner which attacks others on a forum without in any way listening to the arguments proposed by his or her peers. He will spark of such an argument via the use of ad hominem attacks (i.e. 'he probably has a really huge forehead or has some gross disfigurement ' ) with no substance or relevance to back them up as well as straw man arguments, which he uses to simply avoid addressing the essence of the issue.

Look it up.

[sickgut]

mickee re:

"with no substance or relevance to back them up as well as straw man arguments, which he uses to simply avoid addressing the essence of the issue. "

What is this essence of the issue you believe im missing? The post you quoted me on in your post was a reply to a "have you asked the same question for windows or osx?" question. Is the fact i havent asked this about windows and osx the essence of the issue?
My original post is about the usefullness of a firewall for puppy linux, not windows and osx, i wasnt aware that to ask questions about a program running on Puppy Linux, one must first prove that he has asked about the same program running on windows and osx even tho it has absolutley nothing to do with a Puppy Linux forum or that its even possible to run the same program on Windows and OSX.

There is a reason im not " listening to the arguments proposed by his or her peers."
The reason is because arguments such as the one i mentioned earlier in this reply are not even relevent to my original post. There is no reasonable way to answer such a stupid question such as "have you asked the same question for windows or osx?"
Would you think everyone here would apreciate me writing a 10 page article about the ins and outs of running the Puppy Linux firewall program on Windows and OSX?
Would that make you happy? Do you think people come here for Windows and OSX support? Seriously, to take such arguments as these that are proposed by my peers as having some weight behind them is to completely throw away any logic or common sense and start addressing issues such as: "Have you tried your new .pet package on Windows and OSX?" as an example.

[SirDuncan]

Attackers try to break into sshd with brute force all the time. I run two Web sites, I see their dozens or hundreds of attempts in the logs every day.

When I had port 22 open on my router I would receive hundreds of login attempts per day. It was so bad that I switched to using a non-standard port for SSH, disabled password logins (only allowing key based authentication), and restricted the allowed IPs to just my ISP's range and the university's range. That was just on a home machine with no URL. I don't even want to think about how bad it is for server admins.

Using firewall to block others is fine if you are only running sshd. but you did mention webserver so i wrongly assume that you meant hosting it with the same computer. becasue if you use firewall to block those IP, they wont be able to veiw your webserver.

That's not correct. With any good firewall (iptables, Cisco's iOS ACLs, etc.) you can block traffic based on type, the port being accessed, and the originating/destination IP/subnet. Most will also let you shape traffic without actually blocking it (i.e.: throttling bit torrent or giving higher priority to certain IPs or traffic types). I can block all non-US IPs from connecting to my machine over the SSH protocol and still let them connect to the webserver which is using a different protocol and port. Firewall access rules can get very complicated in a large-scale installation.

Better to be safe than to be sorry.

I agree.

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

[Bruce B]

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

I don't think you're wrong. The questions were designed to make it difficult
for sickgut to answer, and undermine his own previous statements, even his premises.

~

[Bernie_by_the_Sea]

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

Iptables is built into the kernel. A firewall (rules for iptables other than allow all) is not. Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

[Bruce B]

A firewall (rules for iptables other than allow all) is not. Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

Bernie_by_the_Sea,

I'll accept this at face value and mention, for reader's sake, that 73408
bytes is not much consideration for todays computers.

Can we agree this is RAM resources?

What about CPU resources? Do you know a way of measuring this as far
as our iptables?

Should I mention the iptables can be configured in a way to eliminate
things we don't want and thereby increase speed?

Bruce

~

[Bernie_by_the_Sea]

A firewall (rules for iptables other than allow all) is not. Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

Bernie_by_the_Sea,

I'll accept this at face value and mention, for reader's sake, that 73408
bytes is not much consideration for todays computers.

Can we agree this is RAM resources?

What about CPU resources? Do you know a way of measuring this as far
as our iptables?

Should I mention the iptables can be configured in a way to eliminate
things we don't want and thereby increase speed?

73408 bytes is trivial say with 1GB RAM. I think it's RAM resources.

I thought I knew how to measure CPU resources used by iptables but now I don't think I do. As an educated guess I'd say it never exceeds 2% but on the other hand I think it's always running.

Any speed increase is trivial, too.

The OP's point was that IF a firewall or Puppy's firewall is useless THEN any resources used are a waste no matter how trivial. This discussion is not quite down to how many angels can dance on the head of a pin but it is down to how the beat of a butterfly's wings in China can cause tornadoes in Kansas.

[Bruce B]

I thought I knew how to measure CPU resources used by iptables but now I don't think I do. As an educated guess I'd say it never exceeds 2% but on the other hand I think it's always running.

I run an mp3player, mpg123, it does some serious full time decoding and
it uses about 2%

In Windows, I used the hosts file prevent unwanted connections, when
the connections were domain names.

For unwanted connections using IP addresses, I manipulated the routing
table.

The speed increase I refer to is by not allowing the objects to get sent
that would otherwise get sent by the GET requests the web designer
includes. Some of the more nefarious were the direct GET by IP address.

I think Linux already has iptables, only we add to its size by using a the
firewall, true?

I measure various processes using htop.

Unfortunately, I don't see any process which I can identify as - this is the
iptables.

It appears to me, not much is happening at the kernel level, when things
are idle. Albeit, it is never absolutely idle.

To my way of thinking, the iptables would come into play when doing
networking, such as connecting with Firefox. At which time Firefox is using
so many threads and hitting such a high load, anything else seems
irrelevant. But when the page is loaded, available resources become
correspondingly up again.

Bruce

~

[SirDuncan]

A firewall (rules for iptables other than allow all) is not.

No, iptables is the firewall. The rules are just rules (some, like Cisco, refer to them as access control lists).

Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

Okay, so we're actually talking about the rc.firewall script. That changes the conversation a bit. I now assume that we are talking about an increase in the resources used when booting instead of constant resource usage (which is what I initially assumed when I thought you were talking about iptables).

If that's what is being discussed and you don't believe that it is necessary to run a firewall, then you are probably right to consider it a waste of resources. Just delete rc.firewall (or rename it to be safe) and you should get your 73KB back for the second it would have been gone. It's not enough to bother me, but I can understand wanting to optimize. As the saying goes, "Mind the ounces and the pounds will follow."

The question is, what did the OP mean by "firewall"?

I measure various processes using htop.

Unfortunately, I don't see any process which I can identify as - this is the
iptables.

That's because there is no process for iptables. It is literally a function of the kernel. You won't see a process for rc.firewall either. It only runs for about a second at startup in order to configure the firewall settings. Unless there is some other related script that is running that I don't know about (always a possibility), there is no additional constant overhead beyond what you get from iptables in the kernel.