216: Firewalls On Linux & Google's Change Of Heart On Tracking?

3 Likes

I enjoyed the focus on firewalls and Noah’s detailed recommendation not to enable anything for web-facing until you know what you’re doing.

I also very much agree with Jill’s assessment that Google’s claim they’re done tracking simply means they’ve found a more invasive way to spy, without having to tell you about it.

More security/privacy chats, please!!

3 Likes

I second that!

1 Like

Good show today. I wanted to chip in to say that ufw is disabled by default on Ubuntu. See https://ubuntu.com/server/docs/security-firewall). The hosts seemed to think that Ubuntu had a firewall turned on unlike debian. I think the vast majority of Linux users won’t have a firewall turned on by default. (the docs I linked to are for Ubuntu server, but I’m 98% sure the same applies to the desktop).

I’m also of the opinion that it doesn’t matter all that much for a typical desktop use case. These users don’t tend to run listening services like SSH or NFS. And if they do, then they will want the firewall to allow traffic. A firewall could allow a user to be more granular regarding who is able to connect, but if a user knows to configure this then they could easily enable UFW. I find firewalls to be great in between network segments, but its easy to overstate the importance of a host-based firewall.

That said, I do think that turning on the firewall by default would be the right call for ubuntu.

One more opinion: iptables is just as easy as ufw once you go beyond the most basic commands. For example, here is how I’d block my machine from talking to comcast’s DNS servers using ufw and iptables:

ufw deny out to 75.75.75.0/24 port 53 proto udp
iptables -A OUTPUT -p udp -d 75.75.75.0/24 --dport 53 -j DROP
# (or with long options) 
iptables --append OUTPUT --protocol udp --destination 75.75.75.0/24 --dport 53 --jump DROP

Both commands take the same information. I struggle with ufw because I’ve found that the order of the words can be important. Whereas with iptables you can shuffle the options around as you please. Maybe it’s a stretch to say that iptables is just as easy but I really think its a close call. Plus its more powerfull. I’ve never tried a graphical UFW frontend though, maybe that would change my mind.

Thanks for the show and for putting up with my unsolicited opinions!

2 Likes

First, big welcome to the forum. Love to see an iptables fan here. I started with iptables on Debian and it was a lot of fun though a little cumbersome. :stuck_out_tongue:

Commands have to be repeated twice using iptables and ip6tables to apply rules to both IPv4 and IPv6.

Commands aren’t persistent so you need a package to handle that if you’re not rolling your own startup solution:

sudo apt install iptables-persistent
sudo systemctl enable netfilter-persistent.service

Then whenever you make changes you need to run:

sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

I also ran into a problem with virt-manager because it’d dynamically add a bunch of iptables rules after boot so if I changed the iptables and saved them it’d include virt-manager’s dynamically added rules making them either duplicates or zombie rules on future reboots. To do edits I ended up having to disconnect the network, then run

sudo iptables --flush && sudo ip6tables --flush

Then add all my rules back in including my edits, then save and restart.

I could have produced something a bit more elegant had I stuck with it but that’s how firewalld/ufw finally won me over.

Thanks everyone for another interesting and entertaining show :slight_smile:

As a Debian user I was a bit surprised too when I first learned not default firewall installed. Thanks for the reminder - need to switch it on after installation as well(!)

Sorry to say, but I don’t trust Big Tech enough to believe them when it comes to privacy. I hope they’re being upfront but I doubt it. I’d rather not take the risk myself.

When I was back at college anything that was networked was very likely to be using Unix (it was about the same time Linus was at college too) and Windows/DOS machines struggled to even access memory outside the basic 640K memory range, if I remember correctly, though I dread to think back… Yes, seeing the Crays “for-real” as it were, sounds pretty exciting!

Zero-AD looks good - and the zero budget requirement suits my pocket too for now - ah well, lots of projects to donate to when able!

Great points about commands having to be repeated and about the difficulties saving! I’m actually surprised I never got hit by the issue where dynamically added rules get saved.

I’ve never installed iptables-persistent before. On my distro rules persist across reboots just by running iptables-save and enabling iptables.service. iptables.service just runs /usr/bin/iptables-restore /etc/iptables/iptables.rules when it starts. I wonder what iptables-persistent is doing under the hood.

I need to get into firewalls more. I just do the basic stuff with ufw like blocking all incoming connections apart from specific applications.

@dasgeek might be a cool video idea, a quick intro to setting up firewalls on Linux. Maybe one for firewalld, explaining zones and such, since that is what you’re using :yum:

1 Like