firewall useless for puppy

[Bernie_by_the_Sea]

Firewall = blocking of ports. (over simplifying... but that's basically it)

EDIT: i meant to say blocking of packets....

Firewall = blocking or allowing packets (net communication)

My firewalls both in Windows and various Linux distros both allow and block certain apps and certain IPs. I'm more concerned about outgoing than I am incoming so at the moment I have I think nine apps blocked from accessing the net. I have packets from some specific IPs blocked. A port open or closed or stealthed is not enough. What I want from a firewall is not "security" but to block certain outgoing requests, such as updates, and block known incoming spam. Blocking or hiding ports is trivial.

Just because something reports the firewall is off doesn't mean that it is off.

[Béèm]

so basicly i dont care how much resources the firewall takes its not the point of the post.

I suppose you did ask the same question for Windows and OSX?
Please provide the answers to us here.

If you can't do this, then you are a waste of resources.

[sickgut]

re: beem
I suppose you did ask the same question for Windows and OSX?
Please provide the answers to us here.

wtf does windows and osx have to do with puppy forum ? im not debating usefullness of firewall on windows only puppy. i suspect ppl who ask questions about windows on a puppy forum are mentally disabled in some way so it really doesnt matter what i type here in reply i doubt beem will understand it. he probably has a really huge forehead or has some gross disfigurement that interrupts his view of a screen when he types or doesnt understand english and has just copy and pasted random stuff in his post, maybe in an effort to impress other non english speaking people..

so no i didnt ask about windows and osx its a puppy forum. goto a windows forum and ask the question yourself if you think your doing the community a favour or need to answer a deep soul searching question such as that. i hear deep soul searching windows questions can change your view of the world in such a profound way you cannot explain it with words, so i will forgive you if you ask that question on a windows forum but cant quite put your answer into words when you go to explain your experience on this puppy linux thread.

i wish you all the best in life and hope you learn to live with or cure your current physical and or mental imparment.

You will be in all our prayers.

sickgut

[Bruce B]

I put it to the puppy communty that the firewall loading
as default on puppy is a waste of resources . . .

Until i actually see proof of an actual threat that has
been weighed and balanced then i will maintain my statement that the
software firewall loading as default in puppy 5.25 is a complete waste
of resources.

(Emphasis mine)

How about backing up your own claim? Can you do it? If not, don't make
the claim.

• 1) What resources?
  
  2) How much resources?
  
  3) Can you measure them?
  
  4) How do you measure them?

~

[Luluc]

You can ask sshd to only allow certain IP address.

You are correct. I had forgotten sshd could do that.

That is not the job of firewall.

I disagree, a firewall serves many purposes. Blocking specific IPs is one of them.

so what if someone accesses your sshd login? you would have to be extreemly silly to not have a decent password attached to it.
(...)
the sshd program itself provides the security.
(...)
but if you believe your sshd argument has weight then im sure that you can demonstrate a step by step way of accessing a linux system running sshd that is propperly configured and is password protected.
(...)
no use saying someone could do this or do that..... just do it and show us.

Attackers try to break into sshd with brute force all the time. I run two Web sites, I see their dozens or hundreds of attempts in the logs every day. Of course, they usually fail, but I am not comfortable with the idea of being attacked every day. Closing access to all but one IP address increases security. Of course, that approach is useless if you don't know from what IP you will be accessing sshd. It was just one specific case scenario.

wtf does windows and osx have to do with puppy forum ? im not debating usefullness of firewall on windows only puppy. i suspect ppl who ask questions about windows on a puppy forum are mentally disabled in some way so it really doesnt matter what i type here in reply i doubt beem will understand it. he probably has a really huge forehead or has some gross disfigurement that interrupts his view of a screen when he types or doesnt understand english and has just copy and pasted random stuff in his post, maybe in an effort to impress other non english speaking people..

You insult people, write like a semi-illiterate and complain that people don't write proper English. I hope you don't expect to be taken seriously around here.

[Bruce B]

It is your game. You set the rules. You did it all by yourself.

I do not want "People say you can do this..." kinda
answers or philosophical answers . . .

When challenged for technical specifics, concerning this so called "waste of
resources", you seem to go to la la land. Read below.

. . . the waste of resources is more of an expression than a
technical thing.

If it is OK for YOU to use expressions to substitute for technology, I feel
inclined to support anyone who does the same.

~

[aarf]

I am under the impression that this site nationmultimedia.com can in conjunction with opera and flash, corrupt partitions and thus bring down puppy. It has in the past done that many times. Firewall is not stopping at all.

[Bruce B]

I am under the impression that this site
nationmultimedia.com can in conjunction with opera and flash, corrupt
partitions and thus bring down puppy. It has in the past done that many
times. Firewall is not stopping at all.

When you request something, the firewall anticipates a response and
regards it as authorized, unless you had a unique configuration.

If you don't request it, then the incoming is unauthorized and blocked.

I just visited the site. I suppose on next boot I'll find out if I have an
partitions.

~

[Bruce B]

I'm more concerned about outgoing than I am incoming . . .

Myself included

. . . so at the moment I have I think nine apps blocked from accessing the net.

Please tell, in detail, how do you block apps?

~

[sickgut]

dunno how many times i say this it doesnt seem to make any difference.
if a program is useless its just wasting space/ resources. I dont care how many.
its in the range of no more than a MB or 2 of ram once loaded. To put that into persepective this is a distro that tries to save 1 and 2mb in iso size etc by stripping out stuff as much as it can and the firewall is using 1.5% or so of the total ram used once booted up.

My original post is easy enough to understand. Ive replied to the " define the resources yourself..." posts. So now for the 443223th time im saying the amount of resources isnt the point. If a program is not doing anything worth while then the bits/ bytes whatever its taking up in ram isnt doing anything usefull.

Next person who challenges me to find the exact resources it uses ill simply use the same stupidity back at them and say that you should prove that the firewall is not using resources and to define exactly how much its not using.

[Bruce B]

dunno how many times i say this it doesnt seem to make any difference. if a program is useless its just wasting space/ resources. I dont care how many.

Is it a program?

~

[Bernie_by_the_Sea]

. . . so at the moment I have I think nine apps blocked from accessing the net.

Please tell, in detail, how do you block apps?

Backing up, earlier I wrote:

My firewalls both in Windows and various Linux distros both allow and block certain apps and certain IPs. I'm more concerned about outgoing than I am incoming so at the moment I have I think nine apps blocked from accessing the net.

The nine blocked are in Windows, not Puppy. I use three firewalls in XP and I block specific apps with Ashampoo. It has a nice gui, doesn't interfere with other firewalls, and is ultra-simple to use.

In Puppy, it's not simple at all especially using command-line iptables and especially when you’re basically ignorant about using iptables. All my outgoing blocks in Puppy are merely experiments since there's nothing that needs to be blocked. I block apps by the ports they use. Right now I'm playing around having cups (port 631) blocked but you can block other ports/apps such as ssh (port 22) and samba (ports 137,138,139). I'm playing with cups since it's easy to confirm a printer is blocked. Who knows, maybe somebody doesn't want their kids in another room using the printer.

Puppy's firewall uses between 1% and 2% of CPU and it uses over 1% of RAM. Puppy doesn't need a firewall but old habits are hard to break.

[r1tz]

Getting attempts to force into sshd/servers are very common. Many people run scripts to run through a list of IP address to... ...

Using firewall to block others is fine if you are only running sshd. but you did mention webserver so i wrongly assume that you meant hosting it with the same computer. becasue if you use firewall to block those IP, they wont be able to veiw your webserver.

Im not saying you are wrong, just different ways of doing it.

As long as you use a strong password, you should be fine.


This would be a case of Convenience VS security.


Bruce B, imo firewall is a program. It is a program design to follow a set of rules to allow/block packets. The set of rules might be block packets from port 1-100 or a range of IP or some complicated set of rules. but still, it is a program.

I think that firewall is necessary.
The chances you get attack are very low(really very low). It is not too low either. Better to be safe than to be sorry.

Well... you wont need firewall if you don't have sensitive info in your computer and you dont use a savefile. In this case, firewall is really useless.

[don922]

I am under the impression that this site nationmultimedia.com can in conjunction with opera and flash, corrupt partitions and thus bring down puppy. It has in the past done that many times. Firewall is not stopping at all.

Since The Nation is one of the leading english language newspapers in Thailand, I have read it everyday on the internet for the last three and one half years. I use firefox on puppy and I have never experienced any problem with The Nation.

[Bernie_by_the_Sea]

I use firefox on puppy and I have never experienced any problem with The Nation.

He did say "opera and flash," not firefox. Opera has a history of not working well with some versions of flash and flash itself has been known to do damage sometimes from an otherwise harmless site. Flash is inherently unsafe. I normally browse with flash disabled and turn it on only if there's something I think I absolutely have to see which is very rare.

I think it was a rival English-language newspaper in Japan that demonstrated the Opera/flash problem with nationmultimedia.com but I can't find the article.

[amigo]

"Is it a program?"
No it is not.

[mickee]

wtf does windows and osx have to do with puppy forum ? im not debating usefullness of firewall on windows only puppy. i suspect ppl who ask questions about windows on a puppy forum are mentally disabled in some way so it really doesnt matter what i type here in reply i doubt beem will understand it. he probably has a really huge forehead or has some gross disfigurement that interrupts his view of a screen when he types or doesnt understand english and has just copy and pasted random stuff in his post, maybe in an effort to impress other non english speaking people..

so no i didnt ask about windows and osx its a puppy forum. goto a windows forum and ask the question yourself if you think your doing the community a favour or need to answer a deep soul searching question such as that. i hear deep soul searching windows questions can change your view of the world in such a profound way you cannot explain it with words, so i will forgive you if you ask that question on a windows forum but cant quite put your answer into words when you go to explain your experience on this puppy linux thread.

i wish you all the best in life and hope you learn to live with or cure your current physical and or mental imparment.

One who purposely and deliberately (that purpose usually being self-amusement) starts an argument in a manner which attacks others on a forum without in any way listening to the arguments proposed by his or her peers. He will spark of such an argument via the use of ad hominem attacks (i.e. 'he probably has a really huge forehead or has some gross disfigurement ' ) with no substance or relevance to back them up as well as straw man arguments, which he uses to simply avoid addressing the essence of the issue.

Look it up.

[sickgut]

mickee re:

"with no substance or relevance to back them up as well as straw man arguments, which he uses to simply avoid addressing the essence of the issue. "

What is this essence of the issue you believe im missing? The post you quoted me on in your post was a reply to a "have you asked the same question for windows or osx?" question. Is the fact i havent asked this about windows and osx the essence of the issue?
My original post is about the usefullness of a firewall for puppy linux, not windows and osx, i wasnt aware that to ask questions about a program running on Puppy Linux, one must first prove that he has asked about the same program running on windows and osx even tho it has absolutley nothing to do with a Puppy Linux forum or that its even possible to run the same program on Windows and OSX.

There is a reason im not " listening to the arguments proposed by his or her peers."
The reason is because arguments such as the one i mentioned earlier in this reply are not even relevent to my original post. There is no reasonable way to answer such a stupid question such as "have you asked the same question for windows or osx?"
Would you think everyone here would apreciate me writing a 10 page article about the ins and outs of running the Puppy Linux firewall program on Windows and OSX?
Would that make you happy? Do you think people come here for Windows and OSX support? Seriously, to take such arguments as these that are proposed by my peers as having some weight behind them is to completely throw away any logic or common sense and start addressing issues such as: "Have you tried your new .pet package on Windows and OSX?" as an example.

[SirDuncan]

Attackers try to break into sshd with brute force all the time. I run two Web sites, I see their dozens or hundreds of attempts in the logs every day.

When I had port 22 open on my router I would receive hundreds of login attempts per day. It was so bad that I switched to using a non-standard port for SSH, disabled password logins (only allowing key based authentication), and restricted the allowed IPs to just my ISP's range and the university's range. That was just on a home machine with no URL. I don't even want to think about how bad it is for server admins.

Using firewall to block others is fine if you are only running sshd. but you did mention webserver so i wrongly assume that you meant hosting it with the same computer. becasue if you use firewall to block those IP, they wont be able to veiw your webserver.

That's not correct. With any good firewall (iptables, Cisco's iOS ACLs, etc.) you can block traffic based on type, the port being accessed, and the originating/destination IP/subnet. Most will also let you shape traffic without actually blocking it (i.e.: throttling bit torrent or giving higher priority to certain IPs or traffic types). I can block all non-US IPs from connecting to my machine over the SSH protocol and still let them connect to the webserver which is using a different protocol and port. Firewall access rules can get very complicated in a large-scale installation.

Better to be safe than to be sorry.

I agree.

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

[Bruce B]

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

I don't think you're wrong. The questions were designed to make it difficult
for sickgut to answer, and undermine his own previous statements, even his premises.

~