firewall useless for puppy

[increa]

Firewall = blocking of packets. (over simplifying... but that's basically it)

Instead of speaking of a firewall in some mysterious mystical way such as "it stops viruses or trojans", let's just say what it does. It stops packets from reaching your computer. Some malformed packets can cause certain IP stacks to trip up and let bad code get to your computer CPU, so people like to stop extra packets.

Firewalls mostly stops packets based on various criterion such as what IP the come from, or what port they're addressed to. A hardware NAT router will basically do the same thing, but doing it with software on the computer is easier, especially when I'm hooking up wireless at new locations.

The folks at GRC.come also point out that without a firewall, your computer will often reply "sorry, I can't respond to that", which begs the hacker to keep trying more probes. A firewall can make it so you computer never sees the unacceptable packet, and so issues no reply.

A firewall can also stop programs on YOUR computer from sending packets out to the world. A hardware NAT router won't do that.

In other words, I don't think people need to prove that anybody should use a firewall. If you don't want the function of a firewall, don't use one. See if there is any performance increase when you turn it off; probably not because other things are slower.

[increa]

so what if someone accesses your sshd login? you would have to be extreemly silly to not have a decent password attached to it. in this case (also the same case with 100's of thousands of vps servers with linux on them that are mainly accessed via ssh to administer them etc that generally have no firewalls, i have one myself) the sshd program itself provides the security.

Broaden your idea of security! Within 1 day of putting an ssh server up, my logs showed thousands of packets trying to log in with a dictionary attack of names from an IP in China. Yes, mostly wasted time, but in the process, the remote hacker now knew the name of the two accounts that WERE on my computer. Now they come back later, and trying only those two names, pound me with a dictionary attack of passwords. You're right that my computer was "secure" in that nobody got in -- that time.

Nonetheless, I changed the names, and moved my sshd to a non-standard port and firewall blocked the standard port so my computer would show "nobody's here, go poke a different IP address".

[increa]

My original post is easy enough to understand. Ive replied to the " define the resources yourself..." posts. So now for the 443223th time im saying the amount of resources isnt the point. If a program is not doing anything worth while then the bits/ bytes whatever its taking up in ram isnt doing anything usefull.

Next person who challenges me to find the exact resources it uses ill simply use the same stupidity back at them and say that you should prove that the firewall is not using resources and to define exactly how much its not using.

In the spirit of this email thread, I just can't resist... Can you PROVE it was the 443223th time? I think you should provide some hard evidence, or else I just won't believe you. If you claim that the resources of your life are being wasted, you should take the time to document this prior to claiming it! (that was intended to be light hearted humor)

Seriously: Why so much contention in this email thread?! sickgut, remember, nobody is obliged to even answer any given post. Why levy on others so much effort to provide hard evidence for free? I bet if you offer $100 into the mix, you'll get some hard evidence based on 2 hours of someone's life to get it to you. I'm not sure why anybody should put so much effort into your demands -- because that would be wasting THEIR resources of fun time/life at the Puppy keyboard without compensation.

A decade or more ago, I was part of a thread debating if computer cooling fans should blow in or out. It intrigued me enough that I spent a week collecting cooling data and playing with the fans of my computer cases. I typed up a report and put it out onto the email backbone links (there was no internet at the time). If you're interested in balancing firewall resources/effect, take the time to lead the role! For me, firewalls "waste my life" only in the constant upgrade, options, etc. I value a firewall being quiet and doing it's job. The fact that it takes 2 useconds extra time is irrelevant for me, with my needs.

[increa]

Alot of people still say that you must have a firewall in Puppy for protection, but I would have thought it reasonable that just one example of a valid threat could be documented and posted here. This leads me to believe that the threat is non existent.

Do you use your words in context of the full security landscape? Do you mean threat, risk, susceptibility, or vulnerability? Which are you looking for an example of?

I use my firewall to block standard port SSH traffic. Is the simple type of example you're looking for? Or do you want documentation that somebody tried to use that port and had a way to attack the port that would take down Puppy? Well.. because my port is blocked, I don't know what somebody ~could~ have done on the port. I already gave the example that somebody DID collect all the usernames on my computer by using a non-blocked standard SSH port. Was collecting usernames a hack? You'll have to decide your standard of what constitutes a "hack".

[increa]

Actually pings are necessary for the Internet to work properly. Turn them off and they'll be things you can't do on the web. Turn them on and you can be found by hacker/crackers.

Kind of like life, isn't it?! If I breath, live, eat, and sleep, that makes me vulnerable to the bad guys. Being vulnerable to hackers is like getting old. Given the choice... I would rather...

[increa]

One point I'd like to learn more about is configuring the firewall to deny all programs, except certain ones I trust, access to the net.

Non-Puppy comment: I use free "Zone Alarm" to do this in Windows.

[increa]

One last thought in this thread for this morning:

It's often not one specific thing (get through my firewall) that creates a threat. Here's an example where individual non-threat pieces built into enough of a threat that I secured my system.

I enabled the Haiwatha web server. Even opened up to respond to all IP addresses (like a honey pot, I was interested who was on the hotel network and would choose to browse into my computer).

Then I enabled the Puppy personal blog. All okay, until I READ the default files served up by the server and the blog. In the blog default post, it gives the password for the "secure" spot account. Well, that file is intended to only be read by the local user at 127.0.0.1. But, by opening my web server up, the blog program now provided that password to everybody.

So, anybody could admin my blog, dump whatever they want there and as a minimum bury my computer in downloaded trash. That will crash any hard drive when it becomes full. Or the database will die first.

So... I went back and turned off the web server. OR, what I could have done is install a firewall so that only packets from within my local network could get to the web server Puppy. In this case, the firewall ~would~ have protected me. That's a pretty tangible example, I think. However, I solved the problem a different way.

However, I still run the Puppy firewall because it's overhead is a simple XOR statement against a port or IP number. Takes about a microsecond. I can afford that cost to cover my ~other~ braindead actions such as web serving my own blog post that gives my own password to the world.

[Aitch]

In the blog default post, it gives the password for the "secure" spot account. Well, that file is intended to only be read by the local user at 127.0.0.1. But, by opening my web server up, the blog program now provided that password to everybody.

I think that should be brought to Barry K's attention somewhat urgently, as a security bug!

Aitch

[puppyite]

About Hiawatha:
I would think that anyone who runs a web server on their local machine would know that it should have a password set before it will start or at least give some warning if a password isn’t set.

I have no experience using the Hiawatha web server in Puppy Linux so I don’t know if it has a default password set up or not. If not then that may be a problem if the user starts it and no warning is given.

[SimpleWater]

After doing research, i have found the solution for the flash cookies. There is actually an extension for firefox called "Betterprivacy"(essential). It is made specially for deleting super cookies and is very easy customizable. If your worried about javascript then theres "noscript"(nonessential). Another firefox add-on. Something else you can do is go into your about:config and look for dom.storage.enabled and set the value to false.

I also tried to find warning threads about malware. I searched other big distros like ubuntu forums, and nothing of course. This is linux i don't think the word "malware" exist in linux yet. You might want to include your sources when you make big claims like that bernie.

When html5 becomes a standard, then you can ditch flash

[Bernie_by_the_Sea]

I also tried to find warning threads about malware. I searched other big distros like ubuntu forums, and nothing of course. This is linux i don't think the word "malware" exist in linux yet. You might want to include your sources when you make big claims like that bernie.

Exactly what “big

[aarf]

@BbtS have you found any 'bad things' with your specially modified puppy?
i haven't read the whole thread.

[Scooby]

rc.firewall built with default config

I tried to mod rc.firewall to pass shieldsup common ports test
But cannot stealth: 135, 139, 445

I probably could find out how via iptables directly but can it be done
via rc.firewall?


with

Code: Select all

########################################
# -- Advanced Configuration Options -- #
########################################

# ** DO NOT ** modify anything below unless you know what you are doing!!
# See online documentation at: http://projectfiles.com/firewall/config.html

DENY_OUTBOUND=""
ALLOW_INBOUND=""
BLACKLIST=""
STATIC_INSIDE_OUTSIDE=""
PORT_FORWARDS=""
PORT_FWD_ALL="yes"
PORT_FWD_ROUTED_NETWORKS="yes"
ADDITIONAL_ROUTED_NETWORKS=""
TRUST_ROUTED_NETWORKS="yes"
SHARED_INTERNAL="yes"
FIREWALL_IP=""
TRUST_LOCAL_EXTERNAL_NETWORKS="no"
DMZ_INTERFACES=""
NAT_EXTERNAL="yes"
ADDITIONAL_NAT_INTERFACES=""
IGNORE_INTERFACES=""
LOGGING="no"
REQUIRE_EXTERNAL_CONFIG="no"

############################################
# -- Advanced Firewall Behavior Options -- #
############################################

# The default settings provide the suggested firewall configuration.

NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="yes"
RFC_1122_COMPLIANT="no"
DROP_NEW_WITHOUT_SYN="yes"
DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="yes"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"

###########################################################
# -- Nothing below this point should need modification -- #
###########################################################

# Set version information.

VERSION="2.0rc9"

[Semme]

Scoobs.. adjust these two. If no good, inspect your ISP's configuration page.

Hey, and if not there either, you could always take a look through Arno's.

# The default settings provide the suggested firewall configuration.

NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="yes"
RFC_1122_COMPLIANT="yes"
DROP_NEW_WITHOUT_SYN="no"
DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="no"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"

[Scooby]

with your configuration I get even worse results
see below

What do you mean check ISP?

*edit*
tried arnos with exactly the same result
135, 139, 445 closed and not stealthed?



------------------------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2014-07-24 at 10:32:08

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
13 Ports Closed
13 Ports Stealth
---------------------
26 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be CLOSED were: 135, 139, 445, 1002, 1024, 1025,
1026, 1027, 1028, 1029, 1030,
1720, 5000

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

[Semme]

Worse is fine, you go back. I think the difference is in your ISP's configuration page.

For me it's http://192.168.1.1/

Don't you have some type of hw between your box and the internet?

445's Samba, no?

Not knowing what iptables might be missing, try here.

[Scooby]

Worse is fine, you go back.

I like your philosophy

For me it's http://192.168.1.1/

doesn't respond

Don't you have some type of hw between your box and the internet?

Nope I have optical fiber connection straight to my wall

will try other stuff, btw with arnos I got the same result

[Semme]

How'd you know you had Arno's loaded?

Have we got Samba in the mix?

Who's your ISP?

[Scooby]

I started arno's from cmd line, had to do som config to make it start.
But then shieldsup show them other ports as stealthed and without arnos
all ports came up closed so I'm pretty sure it ran

I have bredband2 - sweden

I'll check samba page but otherwise still no luck

[Scooby]

I guess you're right hose ports are likely blocked at the ISP level.