Ubuntu Linux For Dummies (2007)

In This Chapter

· Introducing firewalls

· Building a firewall

· Starting your firewall

Your newly installed Ubuntu desktop computer is quite network safe. Ubuntu, out of the box, doesn't run any unnecessary, network-aware services; network-aware services are processes (running programs or applications) that respond to network connections.

Network services that don't exist can't be hacked. This is a good thing.

However, Ubuntu supplies a firewall configuration utility because life changes. As you use your computer, you'll probably want to change and modify it. Changing and modifying might introduce new network services, and those services need to be protected with a firewall. Firewalls limit access to and from networks and are generally used to prevent unwanted incoming connections, especially ones from the Internet.

Protecting Your Computer with Firewalls

In the past, firewalls were absolutely necessary because Linux distributions installed and activated many network-aware services by default. They installed the proverbial kitchen sink. Most people didn't need the services — or the sink — but someone always did. Vendors turned services on in order to make as many as possible of their customers happy.

Well, as the adage says, you can please some of the people all of the time, but . . . well, you get my drift. Turning on services was very bad from a security standpoint. Some services were poorly configured, some were buggy, and hackers went to town.

Ubuntu practices good security hygiene. It installs only a relatively small amount of software — enough to make your Ubuntu computer very useful but without installing the kitchen sink. So there aren't any network-aware services running under the default installation described in Chapter 4.

So why run a firewall? It isn't absolutely necessary, but good security requires multiple layers of defense. There's no silver bullet when it comes to computer security. You might not have a network-based vulnerability now, but that might not be true in the future.

I show you how to install a lot of software throughout this book. Some software is network-aware, and software always contains exploitable vulnerabilities. Therefore, be proactive and install a firewall now. It's easy to install and configure.

Chapter 10. Protecting Yourself with a Firewall

In This Chapter

· Introducing firewalls

· Building a firewall

· Starting your firewall

Your newly installed Ubuntu desktop computer is quite network safe. Ubuntu, out of the box, doesn't run any unnecessary, network-aware services; network-aware services are processes (running programs or applications) that respond to network connections.

Network services that don't exist can't be hacked. This is a good thing.

However, Ubuntu supplies a firewall configuration utility because life changes. As you use your computer, you'll probably want to change and modify it. Changing and modifying might introduce new network services, and those services need to be protected with a firewall. Firewalls limit access to and from networks and are generally used to prevent unwanted incoming connections, especially ones from the Internet.

Protecting Your Computer with Firewalls

In the past, firewalls were absolutely necessary because Linux distributions installed and activated many network-aware services by default. They installed the proverbial kitchen sink. Most people didn't need the services — or the sink — but someone always did. Vendors turned services on in order to make as many as possible of their customers happy.

Well, as the adage says, you can please some of the people all of the time, but . . . well, you get my drift. Turning on services was very bad from a security standpoint. Some services were poorly configured, some were buggy, and hackers went to town.

Ubuntu practices good security hygiene. It installs only a relatively small amount of software — enough to make your Ubuntu computer very useful but without installing the kitchen sink. So there aren't any network-aware services running under the default installation described in Chapter 4.

So why run a firewall? It isn't absolutely necessary, but good security requires multiple layers of defense. There's no silver bullet when it comes to computer security. You might not have a network-based vulnerability now, but that might not be true in the future.

I show you how to install a lot of software throughout this book. Some software is network-aware, and software always contains exploitable vulnerabilities. Therefore, be proactive and install a firewall now. It's easy to install and configure.

Quest for Firestarter: Installing a Firewall Configuration Tool

In its quest to give you the tools you need, Ubuntu includes the Firestarter utility on its distribution disc (the companion CD). The utility makes it easy to create firewall rules that best fit your needs. This section describes how to install Firestarter.

Your firewall configuration is not saved permanently if you're using live Ubuntu. (See Chapter 2.) You configuration settings will be lost when you reboot your computer. Your firewall settings are saved, however, if you're running a permanent Ubuntu installation. (See Chapter 4.)

The instructions in this section assume your Ubuntu computer is connected to the Internet. Chapters 6 through 9 describe how to use various technologies to obtain your connection. You download Firestarter using Ubuntu's Add/Remove Applications utility. Please refer to the sidebar "Living off the land" and the companion Ubuntu disc if you don't have an Internet connection.

The following instructions guide you through the straightforward Firestarter installation process:

1. From the GNOME menu bar, choose ApplicationsAdd/Remove.

This action starts the Add/Remove Applications dialog.

2. Type fire in the Search text box located in the upper-right corner of the dialog window.

The utility locates and displays the Firestarter package, as shown in Figure 10-1 .

Figure 10-1: The Add/Remove utility located the Firestarter package.

· Select the check box next to the Firestarter package.

· Click the Apply button.

The Apply the Following Changes? query dialog opens.

· Click the Apply button.

The Administration Rights Are Required to Install and Remove Applications dialog opens.

· Type your password and click OK.

The package utility takes some time to determine what, if any, additional software packages you need. After it finishes checking, the New Applications dialog opens and prompts you to double-click to start Firestarter.

You've successfully installed Firestarter. Now you can use Firestarter to prevent fire.

Ubuntu uses the Netfilter/iptables firewall system. Netfilter refers to the kernel-level program that allows or denies network transmissions. iptables is the user-level program that controls Netfilter. The overall system is generally referred to as iptables. Firestarter configures rules that are fed to iptables to set up your firewall.

Using the Firestarter Configuration Wizard

After Firestarter is installed (see the installation instructions in the preceding section), the New Applications dialog opens and gives you the opportunity to start the utility. Follow these steps:

1. Double-click the Firestarter option or you can choose the SystemAdministrationFirestarter option from the GNOME menu bar.

The Firewall Wizard: Welcome to Firestarter dialog opens.

2. Click the Close button in the New Applications dialog and click OK in the Add/Remove Applications window.

Neatness can make life a little bit easier.

3. Click the Forward button in the Firewall Wizard.

The wizard detects all network devices and displays one of them in the Detected Device(s) drop-down menu. Figure 10-1 shows a sample window.

Figure 10-1: The Firewall Wizard Network Device Setup dialog.

· If your network device isn't shown, click the Detected-Device(s) drop-down menu and select it.

The dominant network device is Ethernet.

· Select the Start the Firewall on Dial-Out check box if you're using a dialup modem to make your Internet connection.

· Select the IP Address Is Assigned via DHCP check box.

Leave the check box deselected if you manually assigned a static IP address to your Ubuntu computer in Chapter 6.

Figure 10-1 shows your firewall configured for DHCP but not for dial-out modem.

Figure 10-1: Firewall configured for DHCP but not dial-out modem.

At this point, your firewall is configured to prevent incoming connections. Your firewall will let you use your computer to initiate only outgoing connections (such as Web browsing and e-mail), but nothing else.

· Click the Forward button.

The Internet Connection Sharing Setup dialog opens. At this point, Firestarter can make your computer act as a router, meaning that other computers can connect to the Internet (or LAN) through your Ubuntu computer and actually appear as the same IP address as that computer. You shouldn't need to use this function when using your computer as a workstation.

· Click the Forward button again.

The Ready to Start Your Firewall dialog, shown in Figure 10-1 , opens.

Figure 10-1: Saving your configuration and starting your firewall.

· Click Save.

Your firewall configuration is saved, and the firewall starts; Ubuntu is also configured to automatically start your firewall whenever it reboots. The Firestarter control dialog also opens, as shown in Figure 10-1 . It's described in the following section, "Fine-Tuning Your Firewall."

Figure 10-1: Firestarter's control dialog.

Fine-Tuning Your Firewall

In the preceding section, you configure your firewall to allow any outgoing connection you might want to make. It's also set up to prevent incoming new connections from anywhere. This policy is great if you never intend to access your computer from someplace else. If that's your desire, you can skip this section.

However, if you'd like to access your Ubuntu computer from another computer on your LAN or the Internet, you can easily configure your firewall to do so. The following section describes in general how you can

· Configure your firewall to allow applications to make incoming connections.

· Limit the originating IP address that an incoming connection can be made from.

Configuring Firestarter to allow incoming connections

Try adding a rule to allow SSH (Secure Shell) connections. Follow these steps:

1. From the GNOME menu bar, choose SystemAdministrationFirestarter.

The Firestarter utility, shown in Figure 10-1 , opens.

2. Click the Policy tab in the Firestarter control dialog.

3. Click anywhere in the Allow Service subwindow.

The Allow Service subwindow is immediately below the Allow Connections subwindow.

4. Click the Add Rule button.

The Add New Inbound Rule dialog opens.

5. From the Name drop-down menu, choose the application to allow in.

6. If you want to control where incoming connections can be made from, do the following:

1. Click the IP, Host, or Network radio button.

If you don't select this option, incoming connections can be made from any computer.

2. Type the IP address or IP address range in the IP, Host, or Network text box.

7. (Optional) Type any comment you think helpful in the Comment text box.

Adding comments helps you recall in the future why you entered a rule. A comment like I want to allow incoming SSH connections so I can connect to my home computer from work will help you recall what purpose a rule serves.

8. Click the Add button.

The Add New Inbound Rule dialog closes.

9. Click the Apply Policy button and the new rule is displayed.

You can continue adding and deleting incoming policies as you wish.

10. Choose Quit from the Firewall menu to exit the Firestarter control dialog.

That's it. Your computer accepts incoming connections for the specified application from any computer; alternatively, the connection can be made from specific IP addresses or networks. Pretty cool.

You can give full access through the firewall to individual computers or networks. Clicking the Allow Connections from Host subwindow and selecting Add Rule opens a dialog similar to the Add New Inbound Rule dialog described above. Using this option allows you to enter the IP address of a single machine or the IP address of an entire network. Any connection from that machine or machines will then be allowed through the firewall.

Allowing incoming SSH connections

I use Secure Shell (SSH) — which encrypts interactive connections — to securely communicate with my home computer. It's an amazing tool and useful in many, many ways; using SSH is described in Appendix B.

For instance, I use SSH to connect to my home Ubuntu computer when I'm traveling. SSH allows me to securely interact with my home computer and also transfer files to and from it. However, you need to modify the default Ubuntu firewall before it will allow incoming SSH connections. Here's how you can do just that:

1. Open the Firestarter control dialog by choosing SystemAdministrationFirestarter from the GNOME menu bar.

The Enter Your Password to Perform Administration Tasks dialog opens (if you haven't performed an administrative task in the past 5 minutes).

Ubuntu uses the sudo system to perform all system-level (superuser) tasks. When using sudo to perform a task, it asks you for your password and remembers if you successfully entered it in the past 5 minutes. After 5 minutes, sudo asks you for your password the next time you perform a system task.

2. Type your password and click OK.

3. Click the Policy tab.

4. Click anywhere in the Allow Service subwindow.

5. Click the Add Rule button.

6. From the Name drop-down menu, choose SSH.

SSH operates on port 22 by default, as shown in Figure 10-1 .

Figure 10-1: SSH connections are allowed from anywhere.

· Click the Add button.

· Click the Apply Policy button and the SSH rule is displayed.

Figure 10-1 shows the result.

You can continue adding and deleting incoming policies as you wish.

· Choose the Quit option from the Firewall menu to exit the Firestarter control dialog.

The firewall is configured to allow a little bit of information to escape from your Ubuntu computer. You can ping your Ubuntu computer from another computer or device on your private LAN (if connected to one). A ping basically allows the other computer to know that your computer is active on the network.

Testing Your Firewall

If you've implemented the preceding instructions in this chapter, you have a very effective firewall in place. It blocks all new incoming connections unless you specifically tell it not to. Any misconfigured or buggy network-aware services that you currently run or run in the future won't "see" probes or attacks, thus, they won't be vulnerable.

Your firewall is configured to block new incoming connections. However, it allows incoming connections that result from outgoing ones. For instance, if you browse a Web site, you make an outgoing connection to the Web server. The Web site responds to your browsing and sends network traffic back to your computer. Your firewall is smart enough to recognize network traffic resulting from outgoing connections that you make and let the return traffic back in.

You can assure yourself that the firewall is indeed blocking unwanted network traffic. Open Firestarter and click the Events tab. If your computer is connected to the Internet, you'll see information similar to that shown in Figure 10-1 .

Figure 10-1: Firestarter showing network events.

This figure shows one network time protocol packet (NTP) from my cable modem (192.168.1.1) and several packets from unknown addresses. (NTP is used to synchronize your Ubuntu computer's time with atomic clocks made available via the Internet.) I haven't configured Firestarter to allow those types of connections or probes; therefore, my firewall's blocking them. If I had a vulnerable service operating on one of those ports, it wouldn't be accessible to an attack.