Ubuntu and Firewalls

Why Ubuntu’s firewall is open by default

Please, please, please, if you don’t know what a port is (literally, not metaphorically, if you think it’s a “doorway to your computer” then you fall into this category) do not administer a Unix firewall.

The number of people I see carting around fallacies and idiotic mantras like “Ubuntu comes with its firewall locked down by default, so it’s nice and safe” and “always close every port you aren’t using!!!”

The simple fact of the matter is that Firewalls are barely even necessary for a home user behind a NAT gateway.  But we’re going to discuss why it doesn’t matter even if you fall into the category of users who connect their computer directly to the internet (via cable modem or some such non-firewalling device).

A “port” is basically an area in memory on a computer that is reserved to allow programs to interact with the network in a sane way.

Think of it as more of a pigeon-hole than a “gateway”.  You put stuff into it (from the network) and the appropriate program, which has asked to be “bound” to the given port, takes stuff out of it and uses it in a sane way.

Before we had ports, only one service could run on a computer at once, otherwise the services wouldn’t know which packet was for which service.  Incidentally, that’s part of the history of why “www” prefixes pretty much every web address online, but that’s a whole other story.

So, we have these marvellous things called ports that allow services to interact with the network data that only that service wants.  In fact we have 65,535 of the little buggers.  So what happens if one of those 65,535 ports is “open”?  Well, nothing.  Nothing, that is, unless a service is running on the machine that wants to use that particular port.  So, unless you specifically tell the computer to run a service that will listen on that port, there’s no disadvantage to leaving it open.  There is, however, a disadvantage to closing it (which we’ll get to in a minute).

“Ah,” I hear you say, “but what if somebody else installs a service onto my machine which uses one of these ports to send all my keystrokes to the web?  Surely then, a Firewall would have protected me?”.  The answer is yes, but frankly you’re too stupid to be allowed to own a computer if that scenario ever occurs.  It also probably wouldn’t protect you from whatever the virus decides to do if it can’t get an active network connection which, knowing the way crackers tend to think, is probably “nuke the f* drive, b* won’t let me steal his data, I can at least destroy it!”  Firewalls do not stop people accessing your computer, they simply stop you using ports you probably want to use!  Which leads me nicely on to…

Why you probably don’t want to lock the firewall down yourself

Let’s say you’re clever enough to lock down the firewall yourself but (obviously) too stupid to realise that there’s probably a reason it’s not locked down when it’s shipped to you.  What’s the worst that could happen?

Well, let’s say you decide (at some point in the future) to download a software package that allows you to play multiplayer games online with all your linux buddies.

Oh no!  You can’t open any connections!  Why not?  The software said it doesn’t need to be run as root, it doesn’t work even if you do run it as root, your friend is definitely running the software, you’ve forwarded all the necessary ports from your router (if applicable) but still no connection!  Is this software that’s been made by someone too thick to test it before they ship?  Or is something else afoot?

Well, it’s quite possible this software uses 2-way communication between you and The Internet.  You’ve locked down all your incoming ports (all the ones you weren’t using at the time, anyway) and so this new piece of software is going to be broken until you realise your mistake and open the port for it.

Even if you kept a written record of all the ports you’ve got locked and unlocked, even if you were the most conscientious firewall admin in the history of firewall admins, you can’t deny that it would’ve been simpler if you’d just let all the network traffic flow in the first instance.

So if firewalls are this useless, why do they even exist?

Firewalls are not there for extra security for average joe home user.  They’re there for specific networking equipment and devices that require an extra level of security and configurability.  Firewalls like iptables are used in NAT gateways to forward ports (yes, the firewall actually allows network traffic to flow where it otherwise wouldn’t).  They’re also used in servers to disallow users from behind a subnet to send data on certain protocols; maybe you don’t want any of your ISP customers to spam people, so you block port 25.  Maybe you don’t want anybody at the office to run a web server, so you block port 80.  Maybe you don’t want your employees surfing the web when they should be working, so you rather foolishly block outbound port 80.  These are trivial, pointless examples but they are the legitimate uses of firewalls.  Blanketing your computer in a shroud of “nobody can connect to my non-existant services! haha!” is idiotic at best and creates problems for yourself at worst.

If you don’t understand what a “port” is, don’t administer a firewall.


Caveat: Windows

Whilst the same is mostly true for Windows, the Windows Firewall comes as locked down by default.  This is mostly because of the common misconception that causes people to think that Ubuntu’s is (that “locking down” a firewall improves your security) but it’s also partly to do with the fact that most Windows users very quickly download themselves viruses because they’re so braindead they don’t think “Frep0rn4liefnocreditc4rdn33dfromthai.exe” could possibly be a virus.  I mean, seriously.  Just, seriously.


Change of scenery and new blog title

I will now be posting to linuxwizard.wordpress.com rather than c.pemcjd.me.uk.  c.pemcjd.me.uk will probably die soon, to be replaced with a new domain name, so I thought I’d switch to wordpress.com for domain continuity apart from anything.

Another reason for this change is to become more of a tech blog and less of a personal blog.  Also, because wordpress.com updates itself and provides a bunch of features not available to the downloaded version of wordpress I was using previously.  It’s also free.

And I love the SAAS model.

And it reduces the load on my server (lol, as if).

And stuff.


Have fun hacking!

Responses to Open Letter

These are the responses from the three candidates to the open letter I sent last night.  First the conservative, who deigned to visit upon my inbox all manner of HTML goodness (that’s sarcasm, I hate HTML formatted emails):

Dear Mr Browne
Thank you for your email. I’m afraid I’m not too well up with IT! However, I regret the fact that this Bill was rushed through the Commons with little time for us to scrutinise and debate it. I therefore hope that we can return to this matter after the election and look forwrd to doing so. But for now, thank you for letting me have your views.
Best wishes,
Laurence Robertson The Conservative Party Candidate

The Green Party response was sent in a plaintext email (thankfully!):

Dear Christopher

Thankyou for bringing these issues to my attention.

I am pleased to say that the Green Party propose laws that diminish, not
increase, copyright and intellectual property rights.

I agree with you that the powers brought in by the Digital Economy Act
represent an infringement of civil liberties, and I would oppose use of
these powers for that reason.

Of course, whilst criminals and abusers profit from cyberspace, measures
must be taken to protect the rest of us from their malicious use of it.
Achieving a balance between civil liberty and civil security is always
difficult, and I must confess that I am no expert on the matter. All I feel
prepared to say on this is that we should always be on guard against
'mission creep' in security measures, and be vigilant in safeguarding ourt
civil liberties

Were I elected I would join with others to vigorously oppose powers that
remove people from internet use in response to copyright violation. I feel
that this sets an alarming precedent.

Yours sincerely

Matthew Sidford

Finally, here is the response from Alistair Cameron, the Liberal Democrat candidate (multipart/alternative mime type):

Dear Mr Browne,

Thank you for contacting me about the Digital Economy Act and a number of of related issues.

We have been highly critical about the so called “wash-up” process which has enabled this Act to pass with limited Parliamentary scrutiny before the General Election. The “wash-up” of the Digital Economy Bill was essentially a carve up between the Labour and Conservative parties that ignored Liberal Democrat arguments to consult more widely before introducing a measure to introduce web-blocking for copyright infringement. Liberal Democrats voted against the Bill at 3rd Reading in the House of Commons and against the Labour and Conservatives web-blocking amendment in both the Lords and the Commons.

Liberal Democrats remain to be convinced about the necessity for technical measures, which could include disconnection from the internet. Liberal Democrats were successful in getting the Government to agree to a period of at least a year in which no technical measures can be considered and then to undertake a process of rigorous analysis and consultation into the need for any such measures. We also believe that the music, film and other content industries must work more urgently to develop easy and affordable ways for people to legally access their products.

The recent Liberal Democrat conference in March voted to establish a party working group to look into further detail about the issues raised by the Act.

You raised a number of related questions about the internet, cyber crime and cyber terrorism. I will need more time to get back to you with a considered response to these questions.

Thank you again for taking the time to contact me.

Yours sincerely

Alistair Cameron

Liberal Democrat Parliamentary Candidate

I’ll let you decide for yourself which is your favourite response.

The open letter is released under the same license as this entire blog (Creative Commons Share and Share Alike Attribution Non-commercial license).  The responses hold views that belong to the indicated parliamentary candidates; I accept no responsibility nor liability for their views.  On request from the owner or a person legally representing him/her, I will remove a response.  I have not edited and will not edit any of the responses for any reason whatsoever.

Transcript from Dell Sales

I contacted Dell Sales about Free Software.  This is the transcript:

17:51:04     Chris Browne
Initial Question/Comment: What kind of options do you offer for Free Software enthusiasts?
17:51:19     System
You are now being connected to an agent. Thank you for using Dell Chat
17:51:19     System
Connected with rayees_fatima
17:51:29     rayees_fatima
Thank you for contacting Dell Sales Chat. This is Rayees Fatima, your Online Sales Advisor. Please give me a moment while I review your query. In order to serve you better, may I have your telephone number & email address, Just in case of disconnection I can either call you or email you back.
17:51:59     rayees_fatima
Would you be interested in buying a Desktop/Laptop Computer?
17:52:17     Chris Browne
Yes, with Free Software installed.
17:53:13     Chris Browne
(ie not Microsoft Windows but a Free alternative)
17:56:14     rayees_fatima
I am afraid that’s not possible to offer any alternative
17:56:23     Chris Browne
Why not?
17:57:14     rayees_fatima
May i know the E Value Code? Which is either above the price or below the price?
17:57:44     Chris Browne
I’m sorry, I cannot decipher that message.
17:58:29     rayees_fatima
17:59:26     Chris Browne
Why can’t I choose a Free alternative to Microsoft Windows?
18:00:24     rayees_fatima
That’s not possible…
18:00:44     Chris Browne
I know, you’ve told me already. I’m asking why it is not possible.
18:01:44     rayees_fatima
Would that be fine if I call you back in 20 to 30 minutes, with the information…
18:02:06     Chris Browne
You could email me, chris@pemcjd.me.uk with the information, I would be happy for that.
18:02:44     rayees_fatima
18:02:54     Chris Browne
Thank you very much for your time.
18:03:14     rayees_fatima
Thank you for contacting Dell Sales Chat and allowing me the opportunity to assist you. Have a wonderful Day.
18:03:19     System
rayees_fatima has left this session!
18:03:19     System
The session has ended!
18:05:41     System
The session has ended!

Here is the email (s)he sent me: Yup, 2 hours later and still no email.  I’m assuming (s)he’s given up searching google for “why Dell is crap?”.