Ubuntu and Firewalls

Why Ubuntu’s firewall is open by default

Please, please, please, if you don’t know what a port is (literally, not metaphorically, if you think it’s a “doorway to your computer” then you fall into this category) do not administer a Unix firewall.

The number of people I see carting around fallacies and idiotic mantras like “Ubuntu comes with its firewall locked down by default, so it’s nice and safe” and “always close every port you aren’t using!!!”

The simple fact of the matter is that Firewalls are barely even necessary for a home user behind a NAT gateway.  But we’re going to discuss why it doesn’t matter even if you fall into the category of users who connect their computer directly to the internet (via cable modem or some such non-firewalling device).

A “port” is basically an area in memory on a computer that is reserved to allow programs to interact with the network in a sane way.

Think of it as more of a pigeon-hole than a “gateway”.  You put stuff into it (from the network) and the appropriate program, which has asked to be “bound” to the given port, takes stuff out of it and uses it in a sane way.

Before we had ports, only one service could run on a computer at once, otherwise the services wouldn’t know which packet was for which service.  Incidentally, that’s part of the history of why “www” prefixes pretty much every web address online, but that’s a whole other story.

So, we have these marvellous things called ports that allow services to interact with the network data that only that service wants.  In fact we have 65,535 of the little buggers.  So what happens if one of those 65,535 ports is “open”?  Well, nothing.  Nothing, that is, unless a service is running on the machine that wants to use that particular port.  So, unless you specifically tell the computer to run a service that will listen on that port, there’s no disadvantage to leaving it open.  There is, however, a disadvantage to closing it (which we’ll get to in a minute).

“Ah,” I hear you say, “but what if somebody else installs a service onto my machine which uses one of these ports to send all my keystrokes to the web?  Surely then, a Firewall would have protected me?”.  The answer is yes, but frankly you’re too stupid to be allowed to own a computer if that scenario ever occurs.  It also probably wouldn’t protect you from whatever the virus decides to do if it can’t get an active network connection which, knowing the way crackers tend to think, is probably “nuke the f* drive, b* won’t let me steal his data, I can at least destroy it!”  Firewalls do not stop people accessing your computer, they simply stop you using ports you probably want to use!  Which leads me nicely on to…

Why you probably don’t want to lock the firewall down yourself

Let’s say you’re clever enough to lock down the firewall yourself but (obviously) too stupid to realise that there’s probably a reason it’s not locked down when it’s shipped to you.  What’s the worst that could happen?

Well, let’s say you decide (at some point in the future) to download a software package that allows you to play multiplayer games online with all your linux buddies.

Oh no!  You can’t open any connections!  Why not?  The software said it doesn’t need to be run as root, it doesn’t work even if you do run it as root, your friend is definitely running the software, you’ve forwarded all the necessary ports from your router (if applicable) but still no connection!  Is this software that’s been made by someone too thick to test it before they ship?  Or is something else afoot?

Well, it’s quite possible this software uses 2-way communication between you and The Internet.  You’ve locked down all your incoming ports (all the ones you weren’t using at the time, anyway) and so this new piece of software is going to be broken until you realise your mistake and open the port for it.

Even if you kept a written record of all the ports you’ve got locked and unlocked, even if you were the most conscientious firewall admin in the history of firewall admins, you can’t deny that it would’ve been simpler if you’d just let all the network traffic flow in the first instance.

So if firewalls are this useless, why do they even exist?

Firewalls are not there for extra security for average joe home user.  They’re there for specific networking equipment and devices that require an extra level of security and configurability.  Firewalls like iptables are used in NAT gateways to forward ports (yes, the firewall actually allows network traffic to flow where it otherwise wouldn’t).  They’re also used in servers to disallow users from behind a subnet to send data on certain protocols; maybe you don’t want any of your ISP customers to spam people, so you block port 25.  Maybe you don’t want anybody at the office to run a web server, so you block port 80.  Maybe you don’t want your employees surfing the web when they should be working, so you rather foolishly block outbound port 80.  These are trivial, pointless examples but they are the legitimate uses of firewalls.  Blanketing your computer in a shroud of “nobody can connect to my non-existant services! haha!” is idiotic at best and creates problems for yourself at worst.

If you don’t understand what a “port” is, don’t administer a firewall.

 

Caveat: Windows

Whilst the same is mostly true for Windows, the Windows Firewall comes as locked down by default.  This is mostly because of the common misconception that causes people to think that Ubuntu’s is (that “locking down” a firewall improves your security) but it’s also partly to do with the fact that most Windows users very quickly download themselves viruses because they’re so braindead they don’t think “Frep0rn4liefnocreditc4rdn33dfromthai.exe” could possibly be a virus.  I mean, seriously.  Just, seriously.

Advertisements