thenktor wrote:Dig_Res wrote:I would like to know whether all service ports are at least closed* in the default configuration of Salix.
No, they aren't. AFAIK ntpd is running by default, but it doesn't serve time to foreign hosts.
Thank you for the prompt reply and I'm sorry for not getting back sooner.
Dig_Res wrote: does a software firewall not provide an additional layer of protection? Can anyone actually claim that a NAT router is absolutely impenetrable?
thenktor wrote:The firewall already is an additional layer of protection. Long story short: If no services are running, nobody can connect anyway.
Really?! I thought if any ports are open, it's only a matter of time before an attacker discovers them and finds a way in.
Whenever I have run a firewall that kept logs of blocked connections
(Most recently, Firestarter in Ubuntu) , it always showed
continual attempted connections from all kinds of unknown and suspicious sources. At least one every few minutes, many of them tagged as being "very dangerous".
On the other hand, such "blocked connections" were being logged even when I was connected through ISPs that seemed to block all or at least most ports from their end (Online scans such as the ones at grc.com and pcflank.com would report the ports as closed even when I had turned off any firewall before running the scans. )
So I wonder whether it might not have actually been my
ISP or, in many cases at least, even just the configuration of
iptables itself (ports closed) that was actually blocking all those connections-- and not an app like Firestarter.
But still, regardless of
how they were closed, the fact is that ports
were closed and here you're arguing that even that isn't necessary.
EDIT: We are talking about desktops here. It's much more likely that you have a security problem in your browser, in your flash plugin, in you mail client, ...
That could be but I don't quite see the logic in ignoring one avoidable risk (i.e., open ports) just because other risks (i.e. browser and email exploits, etc.) may be greater. Seems to me that anyone serious about security would want to protect themselves against
both risks.
Also, as somewhat of an aside, I have long wondered how much of a risk browser vulnerabilities actually pose when JavaScript as well as Java and all plugins are completely disabled.
pwatk wrote:The last time I went on holiday with my laptop I installed Shorewall, altered a few settings from one of the examples and left it to do it's job. Beats micro managing an interactive firewall by a long way.
Interesting that you should mention Shorewall and "interactive firewall"...
The firewall in PCLinuxOS uses Shorewall. But the PCLOS firewall also has an "interactive" option as well one to be alerted of intrusion attempts. (This was exactly the same in the just-released fork of Mandriva called
Mageia, from where I think the whole "Control Center" that this firewall setup is part of originates)
What's strange to me is that I have used PCLOS with this firewall many times and I always checked the "interactive" and alert options when setting it up. Yet, I never once got a single warning or prompt of any kind.
(Same ISPs and hardware as when I ran Ubuntu with Firestarter and got the constant intrusion attempt notices)