# do i need a firewall ?

## arnuld

i am using Gentoo amd64 on my home computer. i just learn programming on it, watch Bruce Lee's movies, listen to some songs and of course use the net. i use an ADSL Modem to connect to internet. do i need a firewall/iptables ?

----------

## Errtu

You only need a firewall if:

- you have an application running, listening at or communicating with a (tcp/udp) port

- you have the computer connected to an internal lan, with multiple clients

- you want to be semi-protected against a DoS (flood; unable to browse)

So if you'd ask me, i would install a firewall.

----------

## papal_authority

Do you have any network services running? Maybe try an nmap and see what you have running.

----------

## Errtu

netstat will do the same and saves an emerge  :Smile: 

----------

## papal_authority

 *Errtu wrote:*   

> netstat will do the same and saves an emerge 

 

Good call  :Wink: 

----------

## arnuld

 *papal_authority wrote:*   

> Do you have any network services running? Maybe try an nmap and see what you have running.

 

this is from "netstat":

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 192.168.0.2:52506       td-in-f103.google.:http ESTABLISHED 

tcp        0      0 192.168.0.2:38480       dove.gentoo.osuosl:http ESTABLISHED 

tcp        0      0 192.168.0.2:44227       po-in-f95.google.c:http ESTABLISHED 

tcp        0      0 192.168.0.2:47781       hk-in-f104.google.:http ESTABLISHED 

tcp        0      0 192.168.0.2:47782       hk-in-f104.google.:http ESTABLISHED 

tcp        0      0 192.168.0.2:47783       hk-in-f104.google.:http ESTABLISHED 

Active UNIX domain sockets (w/o servers)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ]         DGRAM                    2856   @/org/kernel/udev/udevd

unix  3      [ ]         STREAM     CONNECTED     11236  /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     11235  

unix  3      [ ]         STREAM     CONNECTED     11056  /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     11055  

unix  3      [ ]         STREAM     CONNECTED     10973  /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     10972  

unix  3      [ ]         STREAM     CONNECTED     10971  /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     10906  

but i do not understand how this output will help me in knowing whether i need a firewall ?

----------

## papal_authority

You want to check if you have any services listening on your external IP. Something like:

```
netstat --listening --protocol=inet YOUR_IP_ADDRESS
```

For instance I have NFS, POP3, SMTP, IPP and NTP as my box serves my room mate's machines.

----------

## arnuld

 *papal_authority wrote:*   

> You want to check if you have any services listening on your external IP. Something like:
> 
> ```
> netstat --listening --protocol=inet YOUR_IP_ADDRESS
> ```
> ...

 

"netstat --listening --protocol=inet 192.168.0.2" :

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 *:X11                   *:*                     LISTEN

----------

## Errtu

So, it looks like you're only running an X server, which you can protect by changing your config file to deny access to anyone except localhost. IIRC you start X with -nolisten tcp  ... but i'd suggest doing a search for it, as i'm not totally sure.

You only want X to listen if you're using it to connect from another machine to it. Else, just disable it.

----------

## arnuld

 *Errtu wrote:*   

> So, it looks like you're only running an X server, which you can protect by changing your config file to deny access to anyone except localhost. 

 

my mchine's name is "gentoo.planet". so you want me to deny access to everyone except "gentoo.planet" 

 *Errtu wrote:*   

> 
> 
> IIRC you start X with -nolisten tcp  ... but i'd suggest doing a search for it, as i'm not totally sure. 

 

NO...i just use "startx"

 *Errtu wrote:*   

> 
> 
> You only want X to listen if you're using it to connect from another machine to it. Else, just disable it.

 

i use my machine to connect to internet using ADSL Modem (broadband). this is the only one computer i have and it is my home PC. BTW, what you said above did not make any sense to me as i did not understand that :-\

----------

## Errtu

Hi again  :Smile: 

 *arnuld wrote:*   

> my mchine's name is "gentoo.planet". so you want me to deny access to everyone except "gentoo.planet"

 

yes

 *Quote:*   

>  *Errtu wrote:*   
> 
> IIRC you start X with -nolisten tcp  ... but i'd suggest doing a search for it, as i'm not totally sure.  
> 
> NO...i just use "startx"

 

By that, i meant "in order to make this work, you will need to start X with -nolisten tcp"

 *Quote:*   

>  *Errtu wrote:*   
> 
> You only want X to listen if you're using it to connect from another machine to it. Else, just disable it. 
> 
> i use my machine to connect to internet using ADSL Modem (broadband). this is the only one computer i have and it is my home PC. BTW, what you said above did not make any sense to me as i did not understand that :-\

 

Good. If it doesn't make sense it means you don't use it. In a nutshell it means that you can use your PC to have other computers connecting to it and have the nice graphical interface you're using. Other pc's can make a connection to your computer, log into X and have their desktop/settings. 

Anyway, to accomplish this (blocking other users, except yourself) edit  /usr/X11R6/bin/startx and add/modify this line:

```
defaultserverargs="-nolisten tcp"
```

Then you will want to protect your startx file, so that with a new X emerge things don't get overwritten. Do this by editing /etc/make.conf and add/modify the following line:

```
CONFIG_PROTECT_MASK="/usr/X11R6/bin/startx"
```

Restart X and check with `netstat` again to see if nothing is listening anymore.

----------

## arnuld

[quote="Errtu"]Hi again  :Smile: 

hai  :Wink: 

 *Quote:*   

> 
> 
> Anyway, to accomplish this (blocking other users, except yourself) edit  /usr/X11R6/bin/startx and add/modify this line:
> 
> ```
> ...

 

2 questions"

1.) will other users be able to log in if i do that. e.g. i have "arnuld" as me and 2 more users of this machine ? (i guess YES but i am not sure. i can not test as i do not have Gentoo right now and planning to install it, sorry i lied that i have Gentoo  :Wink: , i had it earlier)

2.) will it give me the benefits/protection a firewall gives ?

3.) i don't always work in X, 30-40% of the times i use "C-M-F3", pure command-line. will that option save me from anyone accessing my box when i am not using X ?

----------

## Errtu

 *arnuld wrote:*   

> 2 questions"

 

two?  :Very Happy:   i know i'm not a mathematician, but this looks like three to me  :Razz: 

 *Quote:*   

> 1.) will other users be able to log in if i do that. e.g. i have "arnuld" as me and 2 more users of this machine ? (i guess YES but i am not sure. i can not test as i do not have Gentoo right now and planning to install it, sorry i lied that i have Gentoo , i had it earlier)

 

Tsk tsk  :Razz:    Anyway, the answer is yes. The restriction is only for users connecting from another machine/ip to your machine.

 *Quote:*   

> 2.) will it give me the benefits/protection a firewall gives ?

 

No. This will only protect access to your X server. If at some point in the future you have an application that opens another port, this will be unprotected. It's really not much trouble to install/configure a firewall and will save you worries in the future.

 *Quote:*   

> 3.) i don't always work in X, 30-40% of the times i use "C-M-F3", pure command-line. will that option save me from anyone accessing my box when i am not using X ?

 

I just assume that by not using it, you also mean not running X. If so, the port won't be open and nobody will be able to connect to it. This is without the 'nolisten' option. Now, if you have the X server always running, and you do use the nolisten option, nobody will be able to connect to it since there's no port listening on your machine to which clients can connect.

----------

## Errtu

Even if you don't have Gentoo, you still have the startx script. Find out where it is

```
which startx
```

and enter the defaultserverargs="-nolisten tcp" line there. You could also do

```
startx -nolisten tcp
```

to get the same result.

----------

## batistuta

something that is not clear to me: does your ADSL modem perform NAT? If so, you might already have a firewall in your modem/router. I can't think of many ISP that would give you a standalone modem. Most modems perform NAT, WAP, and of course, provide a firewall. If you already have a decent firewall in your modem and you trust 100% your local LAN, then a firewall might not be needed. On the other hand, it doesn't hurt much. If your machine is not too old, the extra load will probably be unnoticeable. 

For starters, Iptables can be easily configured with GUIs like firestarter.

----------

## Errtu

Just to compare, i have a p1-233 w/ 64megs that runs a firewall, dns, dhcp, apache and some other services. Load stays at 0/0/0

----------

## arnuld

 *batistuta wrote:*   

> something that is not clear to me: does your ADSL modem perform NAT? If so, you might already have a firewall in your modem/router. I can't think of many ISP that would give you a standalone modem. Most modems perform NAT, WAP, and of course, provide a firewall. If you already have a decent firewall in your modem and you trust 100% your local LAN, then a firewall might not be needed. On the other hand, it doesn't hurt much. If your machine is not too old, the extra load will probably be unnoticeable. 

 

this is Netgear DG632 and they say it has NAT built-into the modem: http://www.netgear.com/Products/RoutersandGateways/WiredRouters/DG632.aspx?detail=Specifications

but i can't find any NAT word in Modem's home page at 192.168.0.1

 *batistuta wrote:*   

> 
> 
> For starters, Iptables can be easily configured with GUIs like firestarter.

 

OUCH!  Arch folks also suggested the same GUI and i posted it here because i thought Gentoo people will never suggest a GUI. i hate GUIs, i love config files and i got a totally new thing "--nolisten tcp" here, Arch folks never even talked about that  :Wink: 

----------

## arnuld

 *Errtu wrote:*   

> Just to compare, i have a p1-233 w/ 64megs that runs a firewall, dns, dhcp, apache and some other services. Load stays at 0/0/0

 

here is me:

AMD64 Athlon 

ASUS K8V-MX, VIA K8M800 and VT8237 chipsets with 800 MHz FSB :: http://www.asus.com/products.aspx?l1=3&l2=14&l3=225&model=754&modelmenu=1

2 x 512 DDR 400 MHz RAM

ATA 80 GB SAMSUNG

1 fan (except Processor fan) on cabinet for extra-cooling  :Wink: 

----------

## Thorium

 *Quote:*   

> OUCH! Arch folks also suggested the same GUI and i posted it here because i thought Gentoo people will never suggest a GUI. i hate GUIs, i love config files and i got a totally new thing "--nolisten tcp" here, Arch folks never even talked about that

 

If you don't like GUIs another alternative to configure a firewall is firehol. It has plenty of nice features and a pretty easy configuration syntax, especially if you are used to writing straight iptables scripts. It works great on headless servers that are administered remotely.

----------

## Hu

If you like configuring it by hand, you could completely skip using a front-end and instead write the rules directly.  Once you have the firewall set up the way you like it, you can have the iptables and ip6tables services (/etc/init.d/iptables and /etc/init.d/ip6tables) save your rules at shutdown and load them at startup.  See /etc/conf.d/ip{,6}tables for some necessary configuration.  Remember also to add those scripts to an appropriate runlevel.

----------

