[lug] Why Do I Need a Firewall?

[Bill Thoen]

Thanks... This is convincing. I guess it's like a ship; as long as the hull
isn't punctured, there's no need for watertight compartments. But if you
spring a leak, a second level of defense can make all the difference
whether you later sail into port or sleep with the fishes.

I'm going to keep my firewall and probably add some rules to the OUTPUT
chain too.

- Bill Thoen

On Wed, Oct 03, 2007 at 07:49:12PM -0600, Ben Whaley wrote:
> Here's a scenario in which iptables will help.
> 
> Imagine you have a web application running that accepts file uploads
> and executes system commands (phpMyAdmin does this, for example). This
> particular app is bad at doing input validation and has a number of
> vulnerabilities. Bad Guy uploads his remote shell program, then
> convinces the app to start the remote shell. The remote shell has to
> listen on some port other than those already in use (80,443,21,22 in
> your case). If iptables is set up properly, the port that Bad Guy's
> shell is listening on (say 9000) won't be accessible. The web server
> is running as an unprivileged user so it can't make changes to the
> firewall config to allow him access to the port.
> 
> Certainly the insecure web application introduces myriad other ways to
> abuse the system, but just for discussion this is one place where
> iptables comes in handy.
> 
> - Ben
> 
> On 10/3/07, Rob Nagler <nagler at bivio.biz> wrote:
> > Bill Thoen writes:
> > > simple set up, why do I need a firewall and what should I set it to filter?
> >
> > Security is always difficult to assess with so little information.  My
> > thinking is: iptables is trivial to set up, and the cost of an attack
> > is very expensive.  The likelihood of a successful attack is extremely
> > low, but iptables lowers it even more, probably to an epsilon where
> > you don't need other measures, such as auditing and (shudders)
> > SELinux. :-)
> >
> > Rob