firewall useless for puppy

[aarf]

Just some more info on the freezing that sometimes befalls opera. Now i have two opera partitions with a different latest version of opera on each. Mostly they work ok but when one starts freezing i close it down and unmount the partition clean out the flashplayer folders and then start the other opera on its seperate partition and guess what the newly opened opera will resume freezing in the same manner as the opera that i just closed on the now unmounted partition. When this happens i switch of my puppy and resume surfing on my phone. Then reboot my puppy hours later and the freezing will not be evident on either partition. Sometimes this doesnt work and i have to overwrite every thing in opera except the profile folder. Could be temperature, or something more sinister and persistent out there.
Oh yeah i did have a try with portable firefox but i believe nationmultimedia.com destroyed my firefox as well.

[aarf]

Oh yes sprinkle fsck around liberally in my last post.

[666philb]

this thread has been quite enlightening. Coming from windows to puppy about 16ish months ago, it has taken quite a while to get away from the paranoid state of mind, that is part'n'parcel of being a windows user. The relief to not have to worry about having a completely up-to date antivirus/servicepack/appliction etc it's absolutely immense! It's like you're free to have fun and not worry!
The firewall seems to be the last part of that old mindset that i still worry about. I'm installing new puppy's all the time, and i'll be using them for a while, and realise that i've forgotten to turn the firewall on..... then i quickly turn it on, but have a residual paranoia that the system was compromised in that 50mins that the firewalll wasn't on.
I still the turn the firewall on, but having gone through this thread, i've lessened my worry about a compromised system if i've forgotten turn it on,for a while....,

which is a good thing

[rcrsn51]

There is an interesting case study about firewalls here. The Puppy firewall is easy to turn on. But if you need to modify it to allow some additional service on your LAN, things can get confusing.

[mikeybaby72]

Hello all,
I (also) have done 'Shields up' checks in my multitude of Pups BOTH in and out of my local LAN. I don't use the Firewall when at home (mainly as I see no need for it) but when connecting to www from an 'outside source' - ie not within the confines of my home/office/any other "person's" router, then I enable it just as a 'precaution' as I often run wine executables in LighthousePup. Other wise I know that I'm safe - as the FIRST thing I do when connecting from an 'unknown-to-me' network is to do a 'Shields Up' check. Never had a problem in ANY Linux distro and I am least concerned (subconsciously) when running ANY Puppy/Puplet. This is the 'safest' IMHO distro that there is - even given that I ALWAYS run as root.

Barry IS a Genius AND other distros should wake up and learn from the master. Unless you have multiple users setup on your system, then running as root behind a 'trusted' router's firewall is more than enough protection in puppy. Therefore there is NO need for a secondary software firewall.

If you really want to go "Mega-Stealth" - then run Tor and Ghostery/NoScript in FF and then you will be 'more than' safe!!!!!

I have done the Cisco CCNA course twice in the past decade. - Just can't afford my certification yet!

[nooby]

With the reservations that not everybody have a router. Some of us are still only on LAN

[Bernie_by_the_Sea]

And some of us are still on dialup. Puppy's compatibility with a large number of dialup analog modems is what attracts a number of new users.

And a few of us have a hardware firewall on the motherboard, another complication.

Another thing: I wouldn't put too much reliance on ShieldsUp checks and stealthed ports. Stealth offers no protection at all against a determined hacker. Just a few moments ago I ran the common ports check at ShieldsUp while using Puppy's firewall and while ports were sheathed the firewall replied to pings which cancels all stealthing.

[Aitch]

This will show your firewall settings from the command line

Code: Select all

# iptables -L -n -v

Meanwhile - our firewall . . .
Is there any merit in adding these two options?

#47: Stop replying to pings

* Difficulty: Easy
* Application: sysctl

While ping is a very useful command for discovering network topology, the disadvantage is that it does just that, and makes it easier for hackers on the network to target live servers. But you can tell Linux to ignore all pings - the server simply won't respond. There are a number of ways to achieve this, but the best is to use sysctl. To turn off ping replies:

sysctl -w net.ipv4.icmp_echo_ignore_all=1

To turn it back on, again use:

sysctl -w net.ipv4.icmp_echo_ignore_all=0

If turning off ping is too severe for you, take a look at the next hack.


#48: Slow down ping rates

* Difficulty: Easy
* Application: sysctl

You may want to keep the ability to reply to pings, but protect yourself from a form of attack known as a 'ping flood'. So how can you manage such a feat? The easiest way is to slow down the rate at which the server replies to pings. They are still valid, but won't overload the server:

sysctl -w net.ipv4.icmp_echoreply_rate=10

This slows the rate at which replies are sent to a single address.

From 2006!

http://www.murga-linux.com/puppy/viewto ... 099&t=5196

Linux Firewall docs state that if you are really paranoid, you can set "RFC_1122_COMPLIANT=no" in /etc/rc.d/rc.firewall to disable ping.

From BarryK developer news [now down]

http://www.goosee.com/puppy/news2005.htm

So try setting "RFC_1122_COMPLIANT=no" in /etc/rc.d/rc.firewall

Also noted by Wolf Pup

http://lfw.sf.net/

The final version of the linux firewall (puppy has 2.0RC9) has RFC_1122_COMPLIANT="depends" and gives no response to pings

Aitch

[rcrsn51]

And some of us are still on dialup.

Which brings us back to the original question. Aside from providing a sense of security, is the Puppy firewall actually doing anything positive for dialup users? I suspect that there are many people running Puppy on dialup who never turned on the firewall before Lupu.

[Bernie_by_the_Sea]

And some of us don't give a hang about pings or even bother with a firewall at all.

The final version of the linux firewall (puppy has 2.0RC9) has RFC_1122_COMPLIANT="depends" and gives no response to pings

In a pristine install of Wary 500 with version 2.0rc9 -- 05/02/03 it has RFC_1122_COMPLIANT="yes" and it does respond to pings.

Actually pings are necessary for the Internet to work properly. Turn them off and they'll be things you can't do on the web. Turn them on and you can be found by hacker/crackers.

[nooby]

rcrsn51 does not some ISP actually disconnect me if I don't allow them to ping me? Maybe one can set an exception for trusted parties

[miriam]

If you have just one computer perhaps there is not a lot of need for a firewall (unless you are worried about rogue programs inside your computer sending data out and you know how to set up your firewall to deny such programs access to the net). But if you have a number of computers and use a LAN to exchange data between them then perhaps a firewall becomes more important, because in that situation you have one or more fileservers on your machine (FTP, HTTP, Samba, NFS, etc).

Comments, anyone?

One point I'd like to learn more about is configuring the firewall to deny all programs, except certain ones I trust, access to the net.

[rcrsn51]

But if you have a number of computers and use a LAN to exchange data between them then perhaps a firewall becomes more important, because in that situation you have one or more fileservers on your machine (FTP, HTTP, Samba, NFS, etc).

In order to make those servers visible to other machines on your LAN, you would first have to open the necessary ports on the firewall(s). So you are essentially turning a firewall on, then disabling it.

In your scenario, the firewall of interest would be on your router, hiding your LAN servers from the outside world.

[miriam]

essentially turning a firewall on, then disabling it

Good point. Hadn't thought of it quite like that. So then is the only use for a firewall in Puppy the prevention of rogue programs inside from communicating with the outside? And does anybody know how to do that?

Make you wonder why MSWindows is so insecure. I once operated my old (no longer in use) MSWindows laptop without its firewall for a few minutes, forgetting that it was connected to the net. When I realised I hurriedly disconnected it and scanning it found it had been infected that quickly. Is it MSWindows' filesharing that is the problem? In which case does that mean Samba in Linux is also a weak point? Or is it that MSWindows has special entry points specifically left open for the NSA, as noted by the French Secret Service some years back... let me find the news items...

http://www.theage.com.au/breaking/0002/ ... eb19.shtml unfortunately it is no longer online, but can still be found via the Internet Archive's Wayback Machine:
http://replay.web.archive.org/200003032 ... eb19.shtml

US secret agents work at Microsoft: French intelligence

Source: AFP | Published: Saturday February 19, 7:44 AM

PARIS, Feb 18 - A French intelligence report today accused US secret agents of working with computer giant Microsoft to develop software allowing Washington to spy on communications around the world.

The report, drawn up by the Strategic Affairs Delegation (DAS), the intelligence arm of the French Defence Ministry, was quoted in today's edition of the news-letter Le Monde du Renseignement (Intelligence World).

Written by a senior officer at the DAS, the report claims agents from the National Security Agency (NSA) helped install secret programmes on Microsoft software, currently in use in 90 per cent of computers.

According to the report there was a 'strong suspicion' of a lack of security fed by insistent rumours about the existence of spy programs on Microsoft, and by the presence of NSA personnel in Bill Gates' development teams.

The NSA protects communications for the US government, and also intercepts electronic messages for the Defence Department and other US intelligence agencies, the newsletter said.

According to the report, 'it would seem that the creation of Microsoft was largely supported, not least financially, by the NSA, and that IBM was made to accept the (Microsoft) MS-DOS operating system by the same administration.'

The report claimed the Pentagon was Microsoft's biggest client in the world.

I have to say it seems unlikely to me that IBM would have been pushed by the NSA to accept MS-DOS, but I do think that any good spook would be not doing his job properly if he didn't take advantage of easy access to most of the world's data thru MSWindows. To that end here is another:

from How NSA access was built into Windows

Duncan Campbell 04.09.1999

Careless mistake reveals subversion of Windows by NSA.

A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.

Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer.

Rather than post the whole article you can read the rest, which is still online at:
http://www.heise.de/tp/artikel/5/5263/1.html

So, is just a special problem with MSWindows? Or are there ways (other than having spook backdoors) that Linux users are vulnerable too?

If we Linux users run any servers does it then make sense to keep those processes on a separate machine so that if compromised, nothing of great value is lost/stolen? And how easy is it to compromise FTP/HTTP/Samba/NFS/VPN servers? I guess ssh is as secure as your password.

[puppyluvr]

Tin foil hat alert.....
The NSA key in the windows registry has been there since win98....Deleting it does no harm, @ least not in 98 or XP....
And msdos was contracted as proprietary to all IBM machines...made Bill rich....Bought it as qddos , (quick and dirty disk operating system) for like 80g...LOL....

[miriam]

Like I said, I don't believe IBM was told to get MS-DOS -- that seems silly to me, but I guess spooks are paid to be paranoid. The other point about the NSA key in MSWindows still stands, though I don't really want to get into a discussion about it, I was merely wondering if backdoors inserted in the closed-source code of MSWindows could be responsible for its flakey security. (Incidentally I don't think the NSA key can be simply dismissed. See the discussion on Wikipedia.)

Luckily getting naughty code inserted into open-source code such as Linux is far less likely... though not impossible, I guess... I haven't gone carefully over much of the code on my Linux machines.

So, how would one stop bad programs accessing the net from inside their Puppy Linux machine? Or at the very least how can we keep an eye on all such accesses?

[Bernie_by_the_Sea]

For what it's worth: http://www.pcflank.com has been around about as long as Gibson's ShieldsUp. Using Puppy's firewall PCFlank in its quick test reports:

Warning!
The test found visible port(s) on your system: 21, 23, 80, 135, 137, 138, 139, 1080, 3128

ShieldsUP says they're stealthed. Take your pick.

I'm still playing with firewalls. Some of you already know this but turning off pings manually in Puppy with the sysctl command is not persistent. They're back on the next time Puppy boots. Mainstream Linux seems to use a sysctl.conf file to make them persist but I haven't seen that in Puppy. I'm playing with that now, too. It has a number of possibilities including responding only to specified ping requests and a command to enable spoof protection.

[nooby]

IDG is well known in English speaking languages. They have Mags like PCWorld and them have the most sold PC mags in Sweden and Norway and so on.

They made a test with Ms Windows. Don'tremmber if it was XP or Vista but a few years ago.

Ten minutes them allowed to machine to be browsing online without firewall activated.

Result was alarming. Totally smock full of nasty things that it took them a hard time to get rid off. And a newbie would have no idea how to.

So I don't trust that one can run Puppy without firewall at all.

Why would they spare us when they don't spare the Apache Linux Servers. Them are targeted all over the world. Big bot nets on them as I have heard.

[Bernie_by_the_Sea]

So I don't trust that one can run Puppy without firewall at all.

For the next ten days I'll run Puppy without a firewall. When I "upgraded" from Mepis 3.3 to 8.5 a couple of months back I didn't realize the default was firewall off. I ran it over two weeks without a firewall and most of that time I ran as root. About half the time I don't bother to turn on the firewall in Knoppix which has to be done each time it boots since I can't figure out how to make it persistent. Of course I don't have a static IP address and don't run any servers.

[SimpleWater]

IDG is well known in English speaking languages. They have Mags like PCWorld and them have the most sold PC mags in Sweden and Norway and so on.

They made a test with Ms Windows. Don'tremmber if it was XP or Vista but a few years ago.

Ten minutes them allowed to machine to be browsing online without firewall activated.

Result was alarming. Totally smock full of nasty things that it took them a hard time to get rid off. And a newbie would have no idea how to.

So I don't trust that one can run Puppy without firewall at all.

Why would they spare us when they don't spare the Apache Linux Servers. Them are targeted all over the world. Big bot nets on them as I have heard.

You did get me paranoid. I have been using puppy without a firewall since i installed it. How can i know if i have nasty things? and how do i rid of them?