Re: Blasted Suse Firewall

From: AT (notme_at_example.com)
Date: 01/16/05 

Date: Sun, 16 Jan 2005 19:43:41 +0100

On Sun, 16 Jan 2005 04:13:53 +0000, Paul J Gans wrote:

> AT <notme@example.com> wrote:
>>Thing is, the linux machine is working correctly. It defaults to secure
>>settings, forcing the admin to explicitly allow (possibly malicious)
>>things to happen. And let's face it, even if you just want to be a user,
>>when you install a modern multipurpose OS like Linux or that other one,
>>you are an admin, whether you like it or not. Especially so if you provide
>>services on a network like the OP does.
>
> Sure. It is true of Windows as well, but folks mainly
> ignore it. I'm not for Windowizing Linux, but I think
> that many folks need more guidance than is easily available.
>
> For 9.2, the two guides are fairly good, but a number of
> issues, including much security stuff, is not well covered.

I completely agree.
 
>>> Put another way, of what use is a perfectly protected machine
>>> that will not do what you want it to do?
>
>>I would rephrase that: Of what use is a perfectly open, but rooted
>>machine that will not do what you want it to do?
>
> Neither is any good, which is the problem. Security is inseperable
> from operation.

Yup.
 
>>> The problem is that some updates and fixes "break" the firewall
>>> one way or another. Perhaps what is needed is a user interface
>>> that not only allows you to turn things on and off, but which
>>> actually tells you what *is* turned on and off by looking at
>>> the rules.
>
>>Errrm, that's what 'iptables-save', 'iptables -L' and your configuration
>>scripts (namely: /etc/sysconfig/SuSEfirewall2) will tell you.
>
> Yes, they will tell me that. But they won't tell a newbie
> that. He has no notion that they are there or that they
> can tell him anything. And there is nothing that tells him
> that these can ge important.
>
> Don't you see that what is obvious for anybody who has been
> running linux since version 0.92 is NOT obvious for a newbie
> who has just come over from Windows?

This is very true.
 
>>> I do not believe that Yast does this. It simply remembers what
>>> you've turned on and off and repeats this information to you,
>>> even if a security fix has changed the firewall rules.
>
>>I don't know, I haven't been very impressed with SuSEfirewall2
>>either, but the thing is, that networked security is a complex topic for
>>the novice and he or she should be aware of these issues when connecting
>>to an untrusted network, such as the Internet. Choosing secure defaults
>>should be common practice.
>
> Sure. But how is Mr. Newbie going to do that?
>
> No, I'm not blaming SuSE. My point is that we needd a *lot*
> more study on this. We need YAST, for example, to show choices
> with really decent explanation of what each does.
>
> The statement that one should "turn off unneeded services"
> is useless for Mr. Newbie.

Why is this so, and if it is so, how do you suppose to change it?

Basically we have to choose:

1. Everything is open and all services (that a potential user wants to
run) are running at first boot.
2. The other extreme: The machine is locked down and nothing is running.
3. Some more or less sensible setting, somewhere in between with a notice
to read the relevant documentation, especially on security issues.

Neither 1 or 2 are good choices for a newbie, but is 3 (though I have to
admit that I would choose 1 every time)? You could argue that what SuSE
provides falls somewhere in the last category, but since (IT) security is
a very complex topic, it can't really be explained in a language that the
average newbie will understand within the first 15 minutes of reading to
docs.

It seems that most of the distros fall in the last section and are still
in the process of figuring out what is reasonable. I agree though, that
changing firewall settings during an upgrade is not welcomed and I haven't
experienced this kind of behaviour yet. But then again, I am behind a
router and I have read the netfilter/iptables documentation and like I
said, I don't really like SuSEFirewall2 anyway.

Look at many questions asked here: The average newbie is trying to
understand how to install software or how to work with the CLI. I don't
think that either running services or firewall configuration are Linux 101.
 
>>BTW, SuSE does send you mail when you update their firewall IIRC. Now if
>>you never look at your local mail...
>
> Please understand that I am not a newbie. Far from it. I
> don't know everything, but I know where to look and I know
> that eventually I can ask here and get good answers.

I am neither, but far too often I feel like one ;-)

My main point is, unless one has understood the basics of any computer
system, he or she shouldn't run any services on a machine connected to an
untrusted network, that includes SMB for file and printer sharing.

IMHO, it is good that a firewall blocks almost everything after
installation and you have to make a conscious decision to allow a certain
service to be accessed. But before you can do that, you have to know a
little bit about TCP/IP networking and Linux interfaces. Someone with
experience in Windows administration already has that knowledge, but the
average home user doesn't. He might just wonder where all his documents
went or what a file like "Kiddie Nazis Gone Wild-XXX.avi" is doing on his
unprotected box.

If said newbie wants to test services and provide them to his LAN, do it
behind a router, maybe an old box running IPCop. Of course, you won't find
this advice in the SuSE guides, but many already have a broadband router
anyway.

> What I am doing is looking at SuSE (because that's what I have, not
> because it is a bad distro) and trying to figure out what Mr. Newbie
> would do if he had to face it.
>
> You can see this in the numerous newbie posts here. And if you look at
> the snippy answers that they get.

Many snippy answers have more to do with the assumption on behalf of the
newbies that (more experienced) users come here to solve their problems,
instead of helping them solve their problems themselves. But I would say
that the general tone is friendlier here than in many other NGs.

> I would *love* to see linux take over the desktop. To do that Mr.
> Newbie has to have a fighting chance.

I don't really care whether Linux ever takes over the desktop and I would
say that a newbie has a very decent chance, now more than ever before. I
started out as a desktop newbie (coming from Win) and had to cope with the
weirdness of it all. With dedication and time I managed quite well me
thinks. Both are still necessary for every complex machinery, don't you
think?

Cheers
Andreas

Relevant Pages

  • Re: Kopete and Yahoo
    ... But the network is working fine, I can access any site on the ... because as a newbie I dont ... > To the Linux Freaks: I know its not very scientific what I ... Sonhos vem. ...
    (alt.os.linux.suse)
  • Re: Connecting from outside to Linux Box behind router
    ... > Sorry I'm a newbie to networking and linux and I'm trying to figure ... > I have a cable modem, a Linksys wireless router with a linux box and ... Here is a simple diagram of my network situation. ... > nothing seems to make sense to a newbie like me. ...
    (comp.os.linux.networking)
  • Setting up a small LAN - a cry for help
    ... I'm a newbie when it comes to LINUX networking. ... An ADSL router connected to a switch connected to my LINUX ... I've been reading the "Red Hat Fedora Linux 3 Bible" and Googling the ... hooked on Fedora, just as I'm hooked as OS/2, which I'll try to network ...
    (Fedora)
  • Re: Blasted Suse Firewall
    ... If your linux machine ... issues, including much security stuff, is not well covered. ... But they won't tell a newbie ... >> even if a security fix has changed the firewall rules. ...
    (alt.os.linux.suse)
  • Re: 20 basic Linux newbie commands to identify the system
    ... >> What are the 20 basic newbie Redhat Linux commands I should send to my ... > mode so I can fit the whole display configuration window and see ... Linux can be configured to handle IPX packets ...
    (comp.os.linux.setup)