firewall useless for puppy

[amigo]

"Is it a program?"
No it is not.

[mickee]

wtf does windows and osx have to do with puppy forum ? im not debating usefullness of firewall on windows only puppy. i suspect ppl who ask questions about windows on a puppy forum are mentally disabled in some way so it really doesnt matter what i type here in reply i doubt beem will understand it. he probably has a really huge forehead or has some gross disfigurement that interrupts his view of a screen when he types or doesnt understand english and has just copy and pasted random stuff in his post, maybe in an effort to impress other non english speaking people..

so no i didnt ask about windows and osx its a puppy forum. goto a windows forum and ask the question yourself if you think your doing the community a favour or need to answer a deep soul searching question such as that. i hear deep soul searching windows questions can change your view of the world in such a profound way you cannot explain it with words, so i will forgive you if you ask that question on a windows forum but cant quite put your answer into words when you go to explain your experience on this puppy linux thread.

i wish you all the best in life and hope you learn to live with or cure your current physical and or mental imparment.

One who purposely and deliberately (that purpose usually being self-amusement) starts an argument in a manner which attacks others on a forum without in any way listening to the arguments proposed by his or her peers. He will spark of such an argument via the use of ad hominem attacks (i.e. 'he probably has a really huge forehead or has some gross disfigurement ' ) with no substance or relevance to back them up as well as straw man arguments, which he uses to simply avoid addressing the essence of the issue.

Look it up.

[sickgut]

mickee re:

"with no substance or relevance to back them up as well as straw man arguments, which he uses to simply avoid addressing the essence of the issue. "

What is this essence of the issue you believe im missing? The post you quoted me on in your post was a reply to a "have you asked the same question for windows or osx?" question. Is the fact i havent asked this about windows and osx the essence of the issue?
My original post is about the usefullness of a firewall for puppy linux, not windows and osx, i wasnt aware that to ask questions about a program running on Puppy Linux, one must first prove that he has asked about the same program running on windows and osx even tho it has absolutley nothing to do with a Puppy Linux forum or that its even possible to run the same program on Windows and OSX.

There is a reason im not " listening to the arguments proposed by his or her peers."
The reason is because arguments such as the one i mentioned earlier in this reply are not even relevent to my original post. There is no reasonable way to answer such a stupid question such as "have you asked the same question for windows or osx?"
Would you think everyone here would apreciate me writing a 10 page article about the ins and outs of running the Puppy Linux firewall program on Windows and OSX?
Would that make you happy? Do you think people come here for Windows and OSX support? Seriously, to take such arguments as these that are proposed by my peers as having some weight behind them is to completely throw away any logic or common sense and start addressing issues such as: "Have you tried your new .pet package on Windows and OSX?" as an example.

[SirDuncan]

Attackers try to break into sshd with brute force all the time. I run two Web sites, I see their dozens or hundreds of attempts in the logs every day.

When I had port 22 open on my router I would receive hundreds of login attempts per day. It was so bad that I switched to using a non-standard port for SSH, disabled password logins (only allowing key based authentication), and restricted the allowed IPs to just my ISP's range and the university's range. That was just on a home machine with no URL. I don't even want to think about how bad it is for server admins.

Using firewall to block others is fine if you are only running sshd. but you did mention webserver so i wrongly assume that you meant hosting it with the same computer. becasue if you use firewall to block those IP, they wont be able to veiw your webserver.

That's not correct. With any good firewall (iptables, Cisco's iOS ACLs, etc.) you can block traffic based on type, the port being accessed, and the originating/destination IP/subnet. Most will also let you shape traffic without actually blocking it (i.e.: throttling bit torrent or giving higher priority to certain IPs or traffic types). I can block all non-US IPs from connecting to my machine over the SSH protocol and still let them connect to the webserver which is using a different protocol and port. Firewall access rules can get very complicated in a large-scale installation.

Better to be safe than to be sorry.

I agree.

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

[Bruce B]

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

I don't think you're wrong. The questions were designed to make it difficult
for sickgut to answer, and undermine his own previous statements, even his premises.

~

[Bernie_by_the_Sea]

• 1) What resources?
  2) How much resources?
  3) Can you measure them?
  4) How do you measure them?

Is it a program?

Actually, I was under the impression that it was part of the Linux kernel (not exactly a program by itself) and thus was running all of the time anyway (it just might only have the rule "allow all"). That would make its resource usage very hard to determine. Someone more knowledgeable correct me if I'm wrong.

Iptables is built into the kernel. A firewall (rules for iptables other than allow all) is not. Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

[Bruce B]

A firewall (rules for iptables other than allow all) is not. Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

Bernie_by_the_Sea,

I'll accept this at face value and mention, for reader's sake, that 73408
bytes is not much consideration for todays computers.

Can we agree this is RAM resources?

What about CPU resources? Do you know a way of measuring this as far
as our iptables?

Should I mention the iptables can be configured in a way to eliminate
things we don't want and thereby increase speed?

Bruce

~

[Bernie_by_the_Sea]

A firewall (rules for iptables other than allow all) is not. Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

Bernie_by_the_Sea,

I'll accept this at face value and mention, for reader's sake, that 73408
bytes is not much consideration for todays computers.

Can we agree this is RAM resources?

What about CPU resources? Do you know a way of measuring this as far
as our iptables?

Should I mention the iptables can be configured in a way to eliminate
things we don't want and thereby increase speed?

73408 bytes is trivial say with 1GB RAM. I think it's RAM resources.

I thought I knew how to measure CPU resources used by iptables but now I don't think I do. As an educated guess I'd say it never exceeds 2% but on the other hand I think it's always running.

Any speed increase is trivial, too.

The OP's point was that IF a firewall or Puppy's firewall is useless THEN any resources used are a waste no matter how trivial. This discussion is not quite down to how many angels can dance on the head of a pin but it is down to how the beat of a butterfly's wings in China can cause tornadoes in Kansas.

[Bruce B]

I thought I knew how to measure CPU resources used by iptables but now I don't think I do. As an educated guess I'd say it never exceeds 2% but on the other hand I think it's always running.

I run an mp3player, mpg123, it does some serious full time decoding and
it uses about 2%

In Windows, I used the hosts file prevent unwanted connections, when
the connections were domain names.

For unwanted connections using IP addresses, I manipulated the routing
table.

The speed increase I refer to is by not allowing the objects to get sent
that would otherwise get sent by the GET requests the web designer
includes. Some of the more nefarious were the direct GET by IP address.

I think Linux already has iptables, only we add to its size by using a the
firewall, true?

I measure various processes using htop.

Unfortunately, I don't see any process which I can identify as - this is the
iptables.

It appears to me, not much is happening at the kernel level, when things
are idle. Albeit, it is never absolutely idle.

To my way of thinking, the iptables would come into play when doing
networking, such as connecting with Firefox. At which time Firefox is using
so many threads and hitting such a high load, anything else seems
irrelevant. But when the page is loaded, available resources become
correspondingly up again.

Bruce

~

[SirDuncan]

A firewall (rules for iptables other than allow all) is not.

No, iptables is the firewall. The rules are just rules (some, like Cisco, refer to them as access control lists).

Puppy’s firewall (rc.firewall) can be measured precisely. On my computer running Wary 500 as I configured the firewall, it occupies exactly 73408 bytes in RAM. Killing (or never starting) that firewall process saves that 73KB.

Okay, so we're actually talking about the rc.firewall script. That changes the conversation a bit. I now assume that we are talking about an increase in the resources used when booting instead of constant resource usage (which is what I initially assumed when I thought you were talking about iptables).

If that's what is being discussed and you don't believe that it is necessary to run a firewall, then you are probably right to consider it a waste of resources. Just delete rc.firewall (or rename it to be safe) and you should get your 73KB back for the second it would have been gone. It's not enough to bother me, but I can understand wanting to optimize. As the saying goes, "Mind the ounces and the pounds will follow."

The question is, what did the OP mean by "firewall"?

I measure various processes using htop.

Unfortunately, I don't see any process which I can identify as - this is the
iptables.

That's because there is no process for iptables. It is literally a function of the kernel. You won't see a process for rc.firewall either. It only runs for about a second at startup in order to configure the firewall settings. Unless there is some other related script that is running that I don't know about (always a possibility), there is no additional constant overhead beyond what you get from iptables in the kernel.

[Bruce B]

SirDuncan

I'm pretty sure it is not Bernie_by_the_Sea's position that the memory
increase by larger iptables is reason not to run a firewall. Rather, merely a
technical statement or calculation on the resource usage, which was I think
an answer to a question.

Bruce

[rcrsn51]

That's because there is no process for iptables. It is literally a function of the kernel. You won't see a process for rc.firewall either. It only runs for about a second at startup in order to configure the firewall settings. Unless there is some other related script that is running that I don't know about (always a possibility), there is no additional constant overhead beyond what you get from iptables in the kernel.

Correct me if I'm wrong. But if you don't load the firewall, then certain kernel modules aren't loaded either. So there will be a savings by not having those modules in place.

[Bernie_by_the_Sea]

Going off topic (perhaps), this morning I took a closer look at the latest Knoppix firewall which is somewhat similar to Puppy’s. By default it starts with all common ports closed and none stealthed. It responds to pings. Most security experts say a no-stealth/ping-replying firewall is bad but the majority of Knoppix users (I imagine) run it as a Live CD (but my imagination might be wrong because I know two college students who have a Knoppix full HD install as their only OS)... Now I forgot where I was going with this, but then I’m 83 years old and my senior moments grow longer. I also tend to ramble on at length about nothing so I’ll leave this in my post. Maybe somebody knows where I was going.

Actually my position is that an ordinary home user running Linux of any flavor does not need a firewall. Obviously someone doing a bit more with their computer than the ordinary home user probably does need a firewall although not for malware/virus avoidance as in Windows. Some advanced Linux users probably a firewall to avoid system overload crashes from roving bands of inquiring intruders (speaking almost poetically). I think this boils down to personal use determining the need for a firewall. No matter what the system some need a firewall and some don’t (even in Windows). Thus a firewall should be optional, easy to enable or disable. A new user should be told if the firewall is disabled by default.

Now the question becomes are Puppy users ordinary home users?

[L18L]

Bernie, good question
let the user decide what he needs

OP,
idiotic question
Puppy really doesn't need a firewall. It is a distro.
And please don't flame non-English speakers not before you are writing English correctly

waste of ..... time?
Sure, OP did want only "prove me wrong"

[live]

sickgut

You want a mathematical demonstration.

So here is your answer:
For any OS(Win(s), MacOS, Linux(es), MVS, ...) a firewall will never prevent you from a
* eavedropper
* malwares/virus
* trojan

Now, why would one use a firewall ?
Well, I'll make an analogy. It's like a airbag, it could safe you from injuries, but it'll neither prevent you from driving crazy, nor having a fatal accident... still you prefer to have one( and now cars have manies). Furthermore, you want them to be there, but never be used !

Your remark about being, something as stupid to have 4 anti-virus under Linux.
Well, again cast a look a www.virustotal.com, but also anti-virus concept is going obsolete, as virus can be too tricky to discover (encrypted & spread over different files).

If you are concerned by ressources consommation, simply turn it off.

But a better question could be, what the Puppy firewall is supposed to do? Does it in efficient way ?

If you run Puppy from a multisession DVD in a computer that has no hard disk drive, as I do, then I can't see the need for a firewall. Even if something from the internet did manage to take over Puppy, which as far as I know has never happened, to restore Puppy to the way it was, I just reboot without saving.

Without being paranoïd, it won't prevent from
1/ eavedropping
2/ redirecting to another system that you might be connected to
But appart from eavedropping you do a hard hacking job.

[Bruce B]

Is anyone here familiar with the Kerio PF for Windows? Not the new one, but the older one. Something like release 2.15.

I love that firewall and would be thrilled if Linux had something with that level of control. And ease of use.

~

[Luluc]

Is anyone here familiar with the Kerio PF for Windows? Not the new one, but the older one. Something like release 2.15.
I love that firewall and would be thrilled if Linux had something with that level of control. And ease of use.
~

Me too!!!!!!!!

[fucimin]

Yes, me too, kerio 2.1.5 still running on my winXP machines and from the win98 days...

[Béèm]

If I remember well, Kerio was first Tiny Personal Firewall.
For some reason I changes to Outpost, but it started to be paid only after a certain release. Good support in the time of the free version of Outpost.

[rcrsn51]

So is this the definitive answer to sickgut's original, and quite valid, question?

Sigh. People have all these misconceptions about "breaking into" a computer...

Nobody can magically break into your computer if you are not running some service like SSHD or FTPD. Very, very few people run these kind of services on desktop machines. An intruder would have to attack one of such services and guess one of the login passwords. Just don't run any such services and you're fine.

Another attack may come from the browser. A browser may visit an infected site and run arbitrary code. "Arbitrary code" means "pretty much anything". Maybe such code could change your root password and launch sshd or ftpd, I am not sure. That is why running a browser as root is not a good idea. But if you use Firefox and have the NoScript extension blocking all Javascript except what you allow explicitly, you are 99.99% safe.

This problem stems from the fact that the browser runs as root in Puppy. In other distros, where the user is logged in as ordinary user, it is impossible for an infected site to launch sshd or ftpd on your machine.

Can we conclude that the average user who is not running some kind of service does not need a firewall?

Am I correct in assuming that even if you had the Puppy firewall running, it would not stop outgoing traffic from something malicious on your computer like a bot?