firewall useless for puppy
Just some more info on the freezing that sometimes befalls opera. Now i have two opera partitions with a different latest version of opera on each. Mostly they work ok but when one starts freezing i close it down and unmount the partition clean out the flashplayer folders and then start the other opera on its seperate partition and guess what the newly opened opera will resume freezing in the same manner as the opera that i just closed on the now unmounted partition. When this happens i switch of my puppy and resume surfing on my phone. Then reboot my puppy hours later and the freezing will not be evident on either partition. Sometimes this doesnt work and i have to overwrite every thing in opera except the profile folder. Could be temperature, or something more sinister and persistent out there.
Oh yeah i did have a try with portable firefox but i believe nationmultimedia.com destroyed my firefox as well.
Oh yeah i did have a try with portable firefox but i believe nationmultimedia.com destroyed my firefox as well.
this thread has been quite enlightening. Coming from windows to puppy about 16ish months ago, it has taken quite a while to get away from the paranoid state of mind, that is part'n'parcel of being a windows user. The relief to not have to worry about having a completely up-to date antivirus/servicepack/appliction etc it's absolutely immense! It's like you're free to have fun and not worry!
The firewall seems to be the last part of that old mindset that i still worry about. I'm installing new puppy's all the time, and i'll be using them for a while, and realise that i've forgotten to turn the firewall on..... then i quickly turn it on, but have a residual paranoia that the system was compromised in that 50mins that the firewalll wasn't on.
I still the turn the firewall on, but having gone through this thread, i've lessened my worry about a compromised system if i've forgotten turn it on,for a while....,
which is a good thing
The firewall seems to be the last part of that old mindset that i still worry about. I'm installing new puppy's all the time, and i'll be using them for a while, and realise that i've forgotten to turn the firewall on..... then i quickly turn it on, but have a residual paranoia that the system was compromised in that 50mins that the firewalll wasn't on.
I still the turn the firewall on, but having gone through this thread, i've lessened my worry about a compromised system if i've forgotten turn it on,for a while....,
which is a good thing
Bionicpup64 built with bionic beaver packages http://murga-linux.com/puppy/viewtopic.php?t=114311
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331
- mikeybaby72
- Posts: 27
- Joined: Wed 10 Sep 2008, 12:52
- Location: Sheffield, UK
- Contact:
Firewall in Puppy
Hello all,
I (also) have done 'Shields up' checks in my multitude of Pups BOTH in and out of my local LAN. I don't use the Firewall when at home (mainly as I see no need for it) but when connecting to www from an 'outside source' - ie not within the confines of my home/office/any other "person's" router, then I enable it just as a 'precaution' as I often run wine executables in LighthousePup. Other wise I know that I'm safe - as the FIRST thing I do when connecting from an 'unknown-to-me' network is to do a 'Shields Up' check. Never had a problem in ANY Linux distro and I am least concerned (subconsciously) when running ANY Puppy/Puplet. This is the 'safest' IMHO distro that there is - even given that I ALWAYS run as root.
Barry IS a Genius AND other distros should wake up and learn from the master. Unless you have multiple users setup on your system, then running as root behind a 'trusted' router's firewall is more than enough protection in puppy. Therefore there is NO need for a secondary software firewall.
If you really want to go "Mega-Stealth" - then run Tor and Ghostery/NoScript in FF and then you will be 'more than' safe!!!!!
I have done the Cisco CCNA course twice in the past decade. - Just can't afford my certification yet!
I (also) have done 'Shields up' checks in my multitude of Pups BOTH in and out of my local LAN. I don't use the Firewall when at home (mainly as I see no need for it) but when connecting to www from an 'outside source' - ie not within the confines of my home/office/any other "person's" router, then I enable it just as a 'precaution' as I often run wine executables in LighthousePup. Other wise I know that I'm safe - as the FIRST thing I do when connecting from an 'unknown-to-me' network is to do a 'Shields Up' check. Never had a problem in ANY Linux distro and I am least concerned (subconsciously) when running ANY Puppy/Puplet. This is the 'safest' IMHO distro that there is - even given that I ALWAYS run as root.
Barry IS a Genius AND other distros should wake up and learn from the master. Unless you have multiple users setup on your system, then running as root behind a 'trusted' router's firewall is more than enough protection in puppy. Therefore there is NO need for a secondary software firewall.
If you really want to go "Mega-Stealth" - then run Tor and Ghostery/NoScript in FF and then you will be 'more than' safe!!!!!
I have done the Cisco CCNA course twice in the past decade. - Just can't afford my certification yet!
- Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
And some of us are still on dialup. Puppy's compatibility with a large number of dialup analog modems is what attracts a number of new users.
And a few of us have a hardware firewall on the motherboard, another complication.
Another thing: I wouldn't put too much reliance on ShieldsUp checks and stealthed ports. Stealth offers no protection at all against a determined hacker. Just a few moments ago I ran the common ports check at ShieldsUp while using Puppy's firewall and while ports were sheathed the firewall replied to pings which cancels all stealthing.
And a few of us have a hardware firewall on the motherboard, another complication.
Another thing: I wouldn't put too much reliance on ShieldsUp checks and stealthed ports. Stealth offers no protection at all against a determined hacker. Just a few moments ago I ran the common ports check at ShieldsUp while using Puppy's firewall and while ports were sheathed the firewall replied to pings which cancels all stealthing.
From 2006!Lobster wrote:This will show your firewall settings from the command line
Code: Select all
# iptables -L -n -v
Meanwhile - our firewall . . .
Is there any merit in adding these two options?
#47: Stop replying to pings
* Difficulty: Easy
* Application: sysctl
While ping is a very useful command for discovering network topology, the disadvantage is that it does just that, and makes it easier for hackers on the network to target live servers. But you can tell Linux to ignore all pings - the server simply won't respond. There are a number of ways to achieve this, but the best is to use sysctl. To turn off ping replies:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
To turn it back on, again use:
sysctl -w net.ipv4.icmp_echo_ignore_all=0
If turning off ping is too severe for you, take a look at the next hack.
#48: Slow down ping rates
* Difficulty: Easy
* Application: sysctl
You may want to keep the ability to reply to pings, but protect yourself from a form of attack known as a 'ping flood'. So how can you manage such a feat? The easiest way is to slow down the rate at which the server replies to pings. They are still valid, but won't overload the server:
sysctl -w net.ipv4.icmp_echoreply_rate=10
This slows the rate at which replies are sent to a single address.
http://www.murga-linux.com/puppy/viewto ... 099&t=5196
From BarryK developer news [now down]Linux Firewall docs state that if you are really paranoid, you can set "RFC_1122_COMPLIANT=no" in /etc/rc.d/rc.firewall to disable ping.
http://www.goosee.com/puppy/news2005.htm
So try setting "RFC_1122_COMPLIANT=no" in /etc/rc.d/rc.firewall
Also noted by Wolf Pup
http://lfw.sf.net/
The final version of the linux firewall (puppy has 2.0RC9) has RFC_1122_COMPLIANT="depends" and gives no response to pings
Aitch
Which brings us back to the original question. Aside from providing a sense of security, is the Puppy firewall actually doing anything positive for dialup users? I suspect that there are many people running Puppy on dialup who never turned on the firewall before Lupu.Bernie_by_the_Sea wrote:And some of us are still on dialup.
Last edited by rcrsn51 on Sat 07 May 2011, 18:58, edited 1 time in total.
- Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
And some of us don't give a hang about pings or even bother with a firewall at all.
Actually pings are necessary for the Internet to work properly. Turn them off and they'll be things you can't do on the web. Turn them on and you can be found by hacker/crackers.
In a pristine install of Wary 500 with version 2.0rc9 -- 05/02/03 it has RFC_1122_COMPLIANT="yes" and it does respond to pings.The final version of the linux firewall (puppy has 2.0RC9) has RFC_1122_COMPLIANT="depends" and gives no response to pings
Actually pings are necessary for the Internet to work properly. Turn them off and they'll be things you can't do on the web. Turn them on and you can be found by hacker/crackers.
If you have just one computer perhaps there is not a lot of need for a firewall (unless you are worried about rogue programs inside your computer sending data out and you know how to set up your firewall to deny such programs access to the net). But if you have a number of computers and use a LAN to exchange data between them then perhaps a firewall becomes more important, because in that situation you have one or more fileservers on your machine (FTP, HTTP, Samba, NFS, etc).
Comments, anyone?
One point I'd like to learn more about is configuring the firewall to deny all programs, except certain ones I trust, access to the net.
Comments, anyone?
One point I'd like to learn more about is configuring the firewall to deny all programs, except certain ones I trust, access to the net.
[color=blue]A life! Cool! Where can I download one of those from?[/color]
In order to make those servers visible to other machines on your LAN, you would first have to open the necessary ports on the firewall(s). So you are essentially turning a firewall on, then disabling it.miriam wrote: But if you have a number of computers and use a LAN to exchange data between them then perhaps a firewall becomes more important, because in that situation you have one or more fileservers on your machine (FTP, HTTP, Samba, NFS, etc).
In your scenario, the firewall of interest would be on your router, hiding your LAN servers from the outside world.
Good point. Hadn't thought of it quite like that. So then is the only use for a firewall in Puppy the prevention of rogue programs inside from communicating with the outside? And does anybody know how to do that?essentially turning a firewall on, then disabling it
Make you wonder why MSWindows is so insecure. I once operated my old (no longer in use) MSWindows laptop without its firewall for a few minutes, forgetting that it was connected to the net. When I realised I hurriedly disconnected it and scanning it found it had been infected that quickly. Is it MSWindows' filesharing that is the problem? In which case does that mean Samba in Linux is also a weak point? Or is it that MSWindows has special entry points specifically left open for the NSA, as noted by the French Secret Service some years back... let me find the news items...
I have to say it seems unlikely to me that IBM would have been pushed by the NSA to accept MS-DOS, but I do think that any good spook would be not doing his job properly if he didn't take advantage of easy access to most of the world's data thru MSWindows. To that end here is another:http://www.theage.com.au/breaking/0002/ ... eb19.shtml unfortunately it is no longer online, but can still be found via the Internet Archive's Wayback Machine:
http://replay.web.archive.org/200003032 ... eb19.shtml
US secret agents work at Microsoft: French intelligence
Source: AFP | Published: Saturday February 19, 7:44 AM
PARIS, Feb 18 - A French intelligence report today accused US secret agents of working with computer giant Microsoft to develop software allowing Washington to spy on communications around the world.
The report, drawn up by the Strategic Affairs Delegation (DAS), the intelligence arm of the French Defence Ministry, was quoted in today's edition of the news-letter Le Monde du Renseignement (Intelligence World).
Written by a senior officer at the DAS, the report claims agents from the National Security Agency (NSA) helped install secret programmes on Microsoft software, currently in use in 90 per cent of computers.
According to the report there was a 'strong suspicion' of a lack of security fed by insistent rumours about the existence of spy programs on Microsoft, and by the presence of NSA personnel in Bill Gates' development teams.
The NSA protects communications for the US government, and also intercepts electronic messages for the Defence Department and other US intelligence agencies, the newsletter said.
According to the report, 'it would seem that the creation of Microsoft was largely supported, not least financially, by the NSA, and that IBM was made to accept the (Microsoft) MS-DOS operating system by the same administration.'
The report claimed the Pentagon was Microsoft's biggest client in the world.
So, is just a special problem with MSWindows? Or are there ways (other than having spook backdoors) that Linux users are vulnerable too?from How NSA access was built into Windows
Duncan Campbell 04.09.1999
Careless mistake reveals subversion of Windows by NSA.
A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.
The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.
Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer.
Rather than post the whole article you can read the rest, which is still online at:
http://www.heise.de/tp/artikel/5/5263/1.html
If we Linux users run any servers does it then make sense to keep those processes on a separate machine so that if compromised, nothing of great value is lost/stolen? And how easy is it to compromise FTP/HTTP/Samba/NFS/VPN servers? I guess ssh is as secure as your password.
[color=blue]A life! Cool! Where can I download one of those from?[/color]
Tin foil hat alert.....
The NSA key in the windows registry has been there since win98....Deleting it does no harm, @ least not in 98 or XP....
And msdos was contracted as proprietary to all IBM machines...made Bill rich....Bought it as qddos , (quick and dirty disk operating system) for like 80g...LOL....
The NSA key in the windows registry has been there since win98....Deleting it does no harm, @ least not in 98 or XP....
And msdos was contracted as proprietary to all IBM machines...made Bill rich....Bought it as qddos , (quick and dirty disk operating system) for like 80g...LOL....
Close the Windows, and open your eyes, to a whole new world
I am Lead Dog of the
Puppy Linux Users Group on Facebook
Join us!
Puppy since 2.15CE...
I am Lead Dog of the
Puppy Linux Users Group on Facebook
Join us!
Puppy since 2.15CE...
Like I said, I don't believe IBM was told to get MS-DOS -- that seems silly to me, but I guess spooks are paid to be paranoid. The other point about the NSA key in MSWindows still stands, though I don't really want to get into a discussion about it, I was merely wondering if backdoors inserted in the closed-source code of MSWindows could be responsible for its flakey security. (Incidentally I don't think the NSA key can be simply dismissed. See the discussion on Wikipedia.)
Luckily getting naughty code inserted into open-source code such as Linux is far less likely... though not impossible, I guess... I haven't gone carefully over much of the code on my Linux machines.
So, how would one stop bad programs accessing the net from inside their Puppy Linux machine? Or at the very least how can we keep an eye on all such accesses?
Luckily getting naughty code inserted into open-source code such as Linux is far less likely... though not impossible, I guess... I haven't gone carefully over much of the code on my Linux machines.
So, how would one stop bad programs accessing the net from inside their Puppy Linux machine? Or at the very least how can we keep an eye on all such accesses?
[color=blue]A life! Cool! Where can I download one of those from?[/color]
- Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
For what it's worth: http://www.pcflank.com has been around about as long as Gibson's ShieldsUp. Using Puppy's firewall PCFlank in its quick test reports:
I'm still playing with firewalls. Some of you already know this but turning off pings manually in Puppy with the sysctl command is not persistent. They're back on the next time Puppy boots. Mainstream Linux seems to use a sysctl.conf file to make them persist but I haven't seen that in Puppy. I'm playing with that now, too. It has a number of possibilities including responding only to specified ping requests and a command to enable spoof protection.
ShieldsUP says they're stealthed. Take your pick.Warning!
The test found visible port(s) on your system: 21, 23, 80, 135, 137, 138, 139, 1080, 3128
I'm still playing with firewalls. Some of you already know this but turning off pings manually in Puppy with the sysctl command is not persistent. They're back on the next time Puppy boots. Mainstream Linux seems to use a sysctl.conf file to make them persist but I haven't seen that in Puppy. I'm playing with that now, too. It has a number of possibilities including responding only to specified ping requests and a command to enable spoof protection.
IDG is well known in English speaking languages. They have Mags like PCWorld and them have the most sold PC mags in Sweden and Norway and so on.
They made a test with Ms Windows. Don'tremmber if it was XP or Vista but a few years ago.
Ten minutes them allowed to machine to be browsing online without firewall activated.
Result was alarming. Totally smock full of nasty things that it took them a hard time to get rid off. And a newbie would have no idea how to.
So I don't trust that one can run Puppy without firewall at all.
Why would they spare us when they don't spare the Apache Linux Servers. Them are targeted all over the world. Big bot nets on them as I have heard.
They made a test with Ms Windows. Don'tremmber if it was XP or Vista but a few years ago.
Ten minutes them allowed to machine to be browsing online without firewall activated.
Result was alarming. Totally smock full of nasty things that it took them a hard time to get rid off. And a newbie would have no idea how to.
So I don't trust that one can run Puppy without firewall at all.
Why would they spare us when they don't spare the Apache Linux Servers. Them are targeted all over the world. Big bot nets on them as I have heard.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
- Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
For the next ten days I'll run Puppy without a firewall. When I "upgraded" from Mepis 3.3 to 8.5 a couple of months back I didn't realize the default was firewall off. I ran it over two weeks without a firewall and most of that time I ran as root. About half the time I don't bother to turn on the firewall in Knoppix which has to be done each time it boots since I can't figure out how to make it persistent. Of course I don't have a static IP address and don't run any servers.nooby wrote:So I don't trust that one can run Puppy without firewall at all.
-
- Posts: 94
- Joined: Tue 19 Apr 2011, 11:53
You did get me paranoid. I have been using puppy without a firewall since i installed it. How can i know if i have nasty things? and how do i rid of them?nooby wrote:IDG is well known in English speaking languages. They have Mags like PCWorld and them have the most sold PC mags in Sweden and Norway and so on.
They made a test with Ms Windows. Don'tremmber if it was XP or Vista but a few years ago.
Ten minutes them allowed to machine to be browsing online without firewall activated.
Result was alarming. Totally smock full of nasty things that it took them a hard time to get rid off. And a newbie would have no idea how to.
So I don't trust that one can run Puppy without firewall at all.
Why would they spare us when they don't spare the Apache Linux Servers. Them are targeted all over the world. Big bot nets on them as I have heard.