Re: firewall package for laptop wi-fi client
On Tue, 25 Jan 2011 21:58:02 + Joe wrote: > On Tue, 25 Jan 2011 15:00:36 -0500 > Celejar wrote: > > > On Tue, 25 Jan 2011 12:51:15 + (UTC) > > Camaleón wrote: > > > >> > > > > In this scenario, the "LAN" and the "WAN" are at the same "hostile" > > > level and so both should be treated. Why should you accept > > > incomming ssh traffic from the "hostile lan/wan"? I shouldn't... > > > unless: > > > > Exactly my point - that personal firewall 'profiles' are less useful > > than they might appear at first blush, since you pretty much need to > > treat all traffic, even 'local' traffic, as dangerous when behind a > > NAT router. > > > > A laptop will not normally be offering services, so a very basic My laptop offers lots of services: ~# nmap localhost Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-25 18:49 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.22s latency). Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1 rDNS record for 127.0.0.1: localhost.localdomain Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 631/tcp open ipp 3128/tcp open squid-http /tcp open abyss Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds [ssh, Exim, dnsmasq, CUPS, privoxy, approx] although it can be argued that most of these are intended for use by localhost only, so we can / should block all remote access to them. > iptables setup should be adequate everywhere. I have a second profile > which allows only DHCP, DNS and VPN packets out to the LAN, and once a > VPN is established, DNS goes over it anyway and the default gateway > switches to the VPN server. > > This is pretty much equivalent to the Windows 'send all traffic via the > remote server' option, and I use it both on foreign LANs and on mobile > Internet if I need to do anything sensitive. If I just want email > access, ssh into my server is enough, using the standard profile. > > All the public wi-fi systems I've tried seem to block most protocols, so > neither ssh nor VPN is possible, and I've given up trying them. Maybe > I'm paranoid, but every time I read about some obscure, devious attack > technique that I would never have believed possible, or exploitable > software bug, I get that little bit more paranoid... > > I use RADIUS/EAP-TLS at home, but I can see how that might not be > practical in a pub or cafe. Interesting, thanks. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110125222635.2c097ed7.cele...@gmail.com
Re: firewall package for laptop wi-fi client
On Tue, 25 Jan 2011 15:00:36 -0500 Celejar wrote: > On Tue, 25 Jan 2011 12:51:15 + (UTC) > Camaleón wrote: > >> > > > In this scenario, the "LAN" and the "WAN" are at the same "hostile" > > level and so both should be treated. Why should you accept > > incomming ssh traffic from the "hostile lan/wan"? I shouldn't... > > unless: > > Exactly my point - that personal firewall 'profiles' are less useful > than they might appear at first blush, since you pretty much need to > treat all traffic, even 'local' traffic, as dangerous when behind a > NAT router. > A laptop will not normally be offering services, so a very basic iptables setup should be adequate everywhere. I have a second profile which allows only DHCP, DNS and VPN packets out to the LAN, and once a VPN is established, DNS goes over it anyway and the default gateway switches to the VPN server. This is pretty much equivalent to the Windows 'send all traffic via the remote server' option, and I use it both on foreign LANs and on mobile Internet if I need to do anything sensitive. If I just want email access, ssh into my server is enough, using the standard profile. All the public wi-fi systems I've tried seem to block most protocols, so neither ssh nor VPN is possible, and I've given up trying them. Maybe I'm paranoid, but every time I read about some obscure, devious attack technique that I would never have believed possible, or exploitable software bug, I get that little bit more paranoid... I use RADIUS/EAP-TLS at home, but I can see how that might not be practical in a pub or cafe. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110125215802.5edc3...@jresid.jretrading.com
Re: firewall package for laptop wi-fi client
On Tue, 25 Jan 2011 12:51:15 + (UTC) Camaleón wrote: > On Mon, 24 Jan 2011 15:57:33 -0500, Celejar wrote: > > > On Fri, 7 Jan 2011 19:51:59 + (UTC) Camaleón wrote: > > > >> Open wifi hot-spots (or open networks) are dangerous because all your > >> "neighbors" can represent a potential security risk (they have > >> "physical" access to your machine), meaning that you should enforce > >> your computer firewall rules to treat all of the LAN computers as > >> "untrusted" hosts which BTW is not the normal behavior of a firewall > >> (in a LAN environment, internal hosts are the "good" guys and rules are > >> relaxed for the whole LAN machines). > >> > >> For that precisely purpose there are firewall "profiles", to harden > >> policies when going through open networks (aka: close all ports, do not > >> allow traffic from any machine to my host and monitor all the traffic > >> going in/out... alias: heads-up!). > > > > From your last paragraph, it sounds like you're talking about a > > 'personal' firewall - i.e., one running on your laptop. > > Yes. > > > But if so, it can actually get pretty tricky to distinguish between > > traffic from the LAN and from the big, bad WWW, since your gateway > > router is probably doing NAT on incoming traffic. IOW, how do you tell > > the firewall "accept ssh connections from the LAN but not from the > > 'net", when the 'net connections have been NATed to look like they're > > originating from the LAN? > > In this scenario, the "LAN" and the "WAN" are at the same "hostile" level > and so both should be treated. Why should you accept incomming ssh > traffic from the "hostile lan/wan"? I shouldn't... unless: Exactly my point - that personal firewall 'profiles' are less useful than they might appear at first blush, since you pretty much need to treat all traffic, even 'local' traffic, as dangerous when behind a NAT router. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110125150036.3fa2c090.cele...@gmail.com
Re: firewall package for laptop wi-fi client
On Mon, 24 Jan 2011 15:57:33 -0500, Celejar wrote: > On Fri, 7 Jan 2011 19:51:59 + (UTC) Camaleón wrote: > >> Open wifi hot-spots (or open networks) are dangerous because all your >> "neighbors" can represent a potential security risk (they have >> "physical" access to your machine), meaning that you should enforce >> your computer firewall rules to treat all of the LAN computers as >> "untrusted" hosts which BTW is not the normal behavior of a firewall >> (in a LAN environment, internal hosts are the "good" guys and rules are >> relaxed for the whole LAN machines). >> >> For that precisely purpose there are firewall "profiles", to harden >> policies when going through open networks (aka: close all ports, do not >> allow traffic from any machine to my host and monitor all the traffic >> going in/out... alias: heads-up!). > > From your last paragraph, it sounds like you're talking about a > 'personal' firewall - i.e., one running on your laptop. Yes. > But if so, it can actually get pretty tricky to distinguish between > traffic from the LAN and from the big, bad WWW, since your gateway > router is probably doing NAT on incoming traffic. IOW, how do you tell > the firewall "accept ssh connections from the LAN but not from the > 'net", when the 'net connections have been NATed to look like they're > originating from the LAN? In this scenario, the "LAN" and the "WAN" are at the same "hostile" level and so both should be treated. Why should you accept incomming ssh traffic from the "hostile lan/wan"? I shouldn't... unless: a) The request comes from a known host that I have previoulsy configured and setup to be able to access my machine (i.e., by means of VPN or ssh tunnel from my remote computer). and b) I am expecting the incoming traffic. It's the same attitude I have when someone sends me a "I want to be your friend" invitation by e-mail... unless: a) I know beforehand the person who sends the invitation and b) I was put on alert about that person is going to send me an invitation My "human common sense firewall" says: "reject" :-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.01.25.12.51...@gmail.com
Re: firewall package for laptop wi-fi client
On Fri, 7 Jan 2011 19:51:59 + (UTC) Camaleón wrote: > On Fri, 07 Jan 2011 20:53:44 +0200, Andrei Popescu wrote: > > > On Vi, 07 ian 11, 16:23:16, Eduardo M KALINOWSKI wrote: > >> On Sex, 07 Jan 2011, Andrei Popescu wrote: > >> >If you consider an open wireless to be more dangerous, what additional > >> >protective measures do you suggest? > >> > >> Enable encryption of the wireless traffic (but not WEP, which is too > >> weak). > > > > I might not have control over that (hotel or pub wireless). > > > >> SSL is always nice, but there isn't much you can do if the remote site > >> does not use it. > >> > >> A VPN (or a ssh tunnel) will provide more security, but you'll need a > >> remote host. > > > > No, I'm not going to set up a VPN just to browse public sites from a > > public wireless. Of course, I would not access sensitive stuff unless > > properly protected (SSH, SSL, ...), but this is not different than what > > I'm doing anyway when using my home connection (wired or not). > > > > What *other* protection do you think is necessary, something that you > > would not do anyway if the same computer was connected *directly* to the > > internet (no NAT and/or external firewall)? > > Open wifi hot-spots (or open networks) are dangerous because all your > "neighbors" can represent a potential security risk (they have "physical" > access to your machine), meaning that you should enforce your computer > firewall rules to treat all of the LAN computers as "untrusted" hosts > which BTW is not the normal behavior of a firewall (in a LAN environment, > internal hosts are the "good" guys and rules are relaxed for the whole > LAN machines). > > For that precisely purpose there are firewall "profiles", to harden > policies when going through open networks (aka: close all ports, do not > allow traffic from any machine to my host and monitor all the traffic > going in/out... alias: heads-up!). >From your last paragraph, it sounds like you're talking about a 'personal' firewall - i.e., one running on your laptop. But if so, it can actually get pretty tricky to distinguish between traffic from the LAN and from the big, bad WWW, since your gateway router is probably doing NAT on incoming traffic. IOW, how do you tell the firewall "accept ssh connections from the LAN but not from the 'net", when the 'net connections have been NATed to look like they're originating from the LAN? Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110124155733.9d35ca3e.cele...@gmail.com
Re: firewall package for laptop wi-fi client
On Mon, 24 Jan 2011 01:17:55 +0200, Eero Volotinen wrote: >> Open wifi hot-spots (or open networks) are dangerous because all your >> "neighbors" can represent a potential security risk (they have >> "physical" access to your machine), meaning that you should enforce >> your computer firewall rules to treat all of the LAN computers as >> "untrusted" hosts which BTW is not the normal behavior of a firewall >> (in a LAN environment, internal hosts are the "good" guys and rules are >> relaxed for the whole LAN machines). > > Do you really trust your hosts at lan network? It's a dangerous way. > There can be hackers, viruses inside your lan network also.. In my lan, at work/home? Sure! I designed it from scratch (bought the cables, designed the network structure, configured the hosts/firewalls/ gateways, defined computers security and enforce a strict policy for the users). Every computer/device that is connected to the wires is being monitored. Incoming wifi AP connections fall into another (separated) network. Can't say the same for open networks or other company's network (wireless or wired). Open wireless hot-spots add additional monitoring complication (you don't only have to control unexpected visitors coming from anywhere but you depend on the client/user setup -which most of the time translates into easy attacks from hijackers who search for indefense/ unprotected computers and use them to run the attack, making the original source even more difficult to find). Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.01.24.19.30...@gmail.com
Re: firewall package for laptop wi-fi client
On Sun, 23 Jan 2011 14:21:33 -0800 Mark wrote: > On Sat, Jan 22, 2011 at 9:23 PM, Celejar wrote: > > > On Fri, 7 Jan 2011 17:15:15 -0800 > > Mark wrote: ... > > > This is a great idea; I do this when traveling with a work laptop, > > booting > > > Ubuntu off a live usb stick. With the 10.10 release the boot time is > > > unbelievably fast. There is a way to make the usb media a "persistent" > > > installation which allows you to save preferences, etc. to the media so > > upon > > > next boot you aren't reset to defaults. I myself haven't done that but > > > there is probably plenty of discussion on the topic at the Ubuntu forums > > if > > > it interests you. > > > > A live CD will only help for the problem of a rogue public computer - > > insofar as you're using your own laptop, why would a live CD add any > > security? [And if you don't trust your own computer, you should be > > using a live CD even when browsing from a secure network.] > > > > For me, when it's a work computer that has a Windows-only installation on > it, running Ubuntu from a Live CD is the only allowable way to use Linux on > the computer. Ah, ok. But for someone who actually controls the software on his computer, there won't be much benefit to running a live CD (unless one is worried that his installation has been compromised). Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110123232555.7244fc71.cele...@gmail.com
Re: firewall package for laptop wi-fi client
> Open wifi hot-spots (or open networks) are dangerous because all your > "neighbors" can represent a potential security risk (they have "physical" > access to your machine), meaning that you should enforce your computer > firewall rules to treat all of the LAN computers as "untrusted" hosts > which BTW is not the normal behavior of a firewall (in a LAN environment, > internal hosts are the "good" guys and rules are relaxed for the whole > LAN machines). Do you really trust your hosts at lan network? It's a dangerous way. There can be hackers, viruses inside your lan network also.. -- Eero -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikx60ahfkfcvkrr68czmwfsker1kqryou964...@mail.gmail.com
Re: firewall package for laptop wi-fi client
On Du, 23 ian 11, 14:21:33, Mark wrote: > > For me, when it's a work computer that has a Windows-only installation on > it, running Ubuntu from a Live CD is the only allowable way to use Linux on > the computer. Debian installs just fine on USB sticks ;) Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client
On Sat, Jan 22, 2011 at 9:23 PM, Celejar wrote: > On Fri, 7 Jan 2011 17:15:15 -0800 > Mark wrote: > > > On Fri, Jan 7, 2011 at 2:28 PM, Klistvud > wrote: > > > > > > > > For people really concerned with their security in public wifi spots, > > > perhaps the best I can recommend is: just run off of a live CD. It's > really > > > a great security policy once you get used to it being somewhat slower; > if > > > you can get suspend-to-RAM working, you needn't even worry about > longish > > > boot times (which are fairly short with the recent Ubuntus anyway). Of > > > course, even with a live CD you should be careful with sensitive data > such > > > as e-mail accounts, online passwords and all the other stuff. > > > > > > > This is a great idea; I do this when traveling with a work laptop, > booting > > Ubuntu off a live usb stick. With the 10.10 release the boot time is > > unbelievably fast. There is a way to make the usb media a "persistent" > > installation which allows you to save preferences, etc. to the media so > upon > > next boot you aren't reset to defaults. I myself haven't done that but > > there is probably plenty of discussion on the topic at the Ubuntu forums > if > > it interests you. > > A live CD will only help for the problem of a rogue public computer - > insofar as you're using your own laptop, why would a live CD add any > security? [And if you don't trust your own computer, you should be > using a live CD even when browsing from a secure network.] > For me, when it's a work computer that has a Windows-only installation on it, running Ubuntu from a Live CD is the only allowable way to use Linux on the computer. Mark
Re: firewall package for laptop wi-fi client
On Fri, 7 Jan 2011 17:15:15 -0800 Mark wrote: > On Fri, Jan 7, 2011 at 2:28 PM, Klistvud wrote: > > > > > For people really concerned with their security in public wifi spots, > > perhaps the best I can recommend is: just run off of a live CD. It's really > > a great security policy once you get used to it being somewhat slower; if > > you can get suspend-to-RAM working, you needn't even worry about longish > > boot times (which are fairly short with the recent Ubuntus anyway). Of > > course, even with a live CD you should be careful with sensitive data such > > as e-mail accounts, online passwords and all the other stuff. > > > > This is a great idea; I do this when traveling with a work laptop, booting > Ubuntu off a live usb stick. With the 10.10 release the boot time is > unbelievably fast. There is a way to make the usb media a "persistent" > installation which allows you to save preferences, etc. to the media so upon > next boot you aren't reset to defaults. I myself haven't done that but > there is probably plenty of discussion on the topic at the Ubuntu forums if > it interests you. A live CD will only help for the problem of a rogue public computer - insofar as you're using your own laptop, why would a live CD add any security? [And if you don't trust your own computer, you should be using a live CD even when browsing from a secure network.] Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110123002323.42e1ff1c.cele...@gmail.com
Re: firewall package for laptop wi-fi client
On Fri, Jan 7, 2011 at 2:28 PM, Klistvud wrote: > > For people really concerned with their security in public wifi spots, > perhaps the best I can recommend is: just run off of a live CD. It's really > a great security policy once you get used to it being somewhat slower; if > you can get suspend-to-RAM working, you needn't even worry about longish > boot times (which are fairly short with the recent Ubuntus anyway). Of > course, even with a live CD you should be careful with sensitive data such > as e-mail accounts, online passwords and all the other stuff. > This is a great idea; I do this when traveling with a work laptop, booting Ubuntu off a live usb stick. With the 10.10 release the boot time is unbelievably fast. There is a way to make the usb media a "persistent" installation which allows you to save preferences, etc. to the media so upon next boot you aren't reset to defaults. I myself haven't done that but there is probably plenty of discussion on the topic at the Ubuntu forums if it interests you. Mark
Re: firewall package for laptop wi-fi client
Dne, 07. 01. 2011 19:53:44 je Andrei Popescu napisal(a): For people really concerned with their security in public wifi spots, perhaps the best I can recommend is: just run off of a live CD. It's really a great security policy once you get used to it being somewhat slower; if you can get suspend-to-RAM working, you needn't even worry about longish boot times (which are fairly short with the recent Ubuntus anyway). Of course, even with a live CD you should be careful with sensitive data such as e-mail accounts, online passwords and all the other stuff. -- Cheerio, Klistvud http://bufferoverflow.tiddlyspot.com Certifiable Loonix User #481801 Please reply to the list, not to me. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1294439328.387...@compax
Re: firewall package for laptop wi-fi client
On Fri, 07 Jan 2011 20:53:44 +0200, Andrei Popescu wrote: > On Vi, 07 ian 11, 16:23:16, Eduardo M KALINOWSKI wrote: >> On Sex, 07 Jan 2011, Andrei Popescu wrote: >> >If you consider an open wireless to be more dangerous, what additional >> >protective measures do you suggest? >> >> Enable encryption of the wireless traffic (but not WEP, which is too >> weak). > > I might not have control over that (hotel or pub wireless). > >> SSL is always nice, but there isn't much you can do if the remote site >> does not use it. >> >> A VPN (or a ssh tunnel) will provide more security, but you'll need a >> remote host. > > No, I'm not going to set up a VPN just to browse public sites from a > public wireless. Of course, I would not access sensitive stuff unless > properly protected (SSH, SSL, ...), but this is not different than what > I'm doing anyway when using my home connection (wired or not). > > What *other* protection do you think is necessary, something that you > would not do anyway if the same computer was connected *directly* to the > internet (no NAT and/or external firewall)? Open wifi hot-spots (or open networks) are dangerous because all your "neighbors" can represent a potential security risk (they have "physical" access to your machine), meaning that you should enforce your computer firewall rules to treat all of the LAN computers as "untrusted" hosts which BTW is not the normal behavior of a firewall (in a LAN environment, internal hosts are the "good" guys and rules are relaxed for the whole LAN machines). For that precisely purpose there are firewall "profiles", to harden policies when going through open networks (aka: close all ports, do not allow traffic from any machine to my host and monitor all the traffic going in/out... alias: heads-up!). Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.01.07.19.51...@gmail.com
Re: firewall package for laptop wi-fi client
On Vi, 07 ian 11, 16:23:16, Eduardo M KALINOWSKI wrote: > On Sex, 07 Jan 2011, Andrei Popescu wrote: > >If you consider an open wireless to be more dangerous, what additional > >protective measures do you suggest? > > Enable encryption of the wireless traffic (but not WEP, which is too weak). I might not have control over that (hotel or pub wireless). > SSL is always nice, but there isn't much you can do if the remote > site does not use it. > > A VPN (or a ssh tunnel) will provide more security, but you'll need > a remote host. No, I'm not going to set up a VPN just to browse public sites from a public wireless. Of course, I would not access sensitive stuff unless properly protected (SSH, SSL, ...), but this is not different than what I'm doing anyway when using my home connection (wired or not). What *other* protection do you think is necessary, something that you would not do anyway if the same computer was connected *directly* to the internet (no NAT and/or external firewall)? Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client
On Sex, 07 Jan 2011, Andrei Popescu wrote: If you consider an open wireless to be more dangerous, what additional protective measures do you suggest? Enable encryption of the wireless traffic (but not WEP, which is too weak). SSL is always nice, but there isn't much you can do if the remote site does not use it. A VPN (or a ssh tunnel) will provide more security, but you'll need a remote host. -- Save yourself from the 'Gates' of hell, use Linux." -- like that one. -- The_Kind @ LinuxNet Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107162316.156747g2ggxlz...@mail.kalinowski.com.br
Re: firewall package for laptop wi-fi client
On Jo, 06 ian 11, 09:12:28, Eduardo M KALINOWSKI wrote: [snip] If you consider an open wireless to be more dangerous, what additional protective measures do you suggest? Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client
On Qua, 05 Jan 2011, Andrei Popescu wrote: By "physical access to the network" you mean the internet, right? Because that's what's past my AP... AFAIK it's just a bit more difficult to intercept the traffic, that's all. I'm talking about LAN traffic, not internet traffic. Intercepting traffic sent by the guy in the next table in the café. Also, I wouldn't consider sniffing internet traffic "just a bit more difficult". Certainly can be done under the right circunstances and with the right tools, but it's not trivial. If the wireless network is open, however, i just need a laptop with a supported wireless car, be in range of the network, and fire up kismet or a similar tool, and all traffic going thru the air can be read. I believe this is completely passive, so no one can detect that traffic is being read, unlike sniffing internet traffic - somehow you must reroute the traffic to your machine, which leaves traces. Since the wireless traffic is not encrypted, anything not protected by SSL or similar can be immediately read. If the wireless is encrypted, however, all I would get is encrypted data. WEP can always be broken with enough traffic; for WAP there are some attacks but I believe they are not yet as general and easy. It's certainly not 100% secure (nothing really is), and less secure than connecting via a cabled connection (which requires physical access to the LAN, instead of just being within range, and some technique such as ARP spoofing to be able to receive packages not meant for you), but certainly better than an open network. Whenever I'm connected to an open AP I just consider my laptop connected directly[1] to the internet, with all inherent risks. [1] even though most APs have at least NAT Again, I was referring to sniffing by other people in the same AP, before it reaches the internet. -- I can think of lots of people who need USER=ID10T someplace! Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110106091228.62212kmd5i5gj...@mail.kalinowski.com.br
Re: firewall package for laptop wi-fi client
On Mi, 05 ian 11, 09:49:38, Eduardo M KALINOWSKI wrote: > On Ter, 04 Jan 2011, Andrei Popescu wrote: > >The wireless encrypts the traffic only between my laptop and my AP. > >Beyond my AP the wireless encryptions does not bring any additional > >security. > > That's true, but that's exactly the point: if the wireless network > is not encrypted it is trivial to capture the plain-text traffic > between user's computers and the AP: you just need another computer > with a wireless adapter nearby. > > Sniffing traffic past the AP is harder: generally the connection is > cabled, so you need physical access to the network, some technique > to route packages to your machine (not difficult to do, but also > means your action might be detected), etc. By "physical access to the network" you mean the internet, right? Because that's what's past my AP... AFAIK it's just a bit more difficult to intercept the traffic, that's all. As far as I'm concerned my home wireless is encrypted for two reasons: 1. I don't want to share my internet connections with my neighbors (for various reasons) 2. I want to be able to run unsecured services, if needed, behind the relative protection of the AP's firewall Whenever I'm connected to an open AP I just consider my laptop connected directly[1] to the internet, with all inherent risks. [1] even though most APs have at least NAT Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client
On Ter, 04 Jan 2011, Andrei Popescu wrote: The wireless encrypts the traffic only between my laptop and my AP. Beyond my AP the wireless encryptions does not bring any additional security. That's true, but that's exactly the point: if the wireless network is not encrypted it is trivial to capture the plain-text traffic between user's computers and the AP: you just need another computer with a wireless adapter nearby. Sniffing traffic past the AP is harder: generally the connection is cabled, so you need physical access to the network, some technique to route packages to your machine (not difficult to do, but also means your action might be detected), etc. -- It looks like blind screaming hedonism won out. Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110105094938.422675hp301k9...@mail.kalinowski.com.br
Re: firewall package for laptop wi-fi client [going OT]
On Lu, 03 ian 11, 23:28:24, tv.deb...@googlemail.com wrote: > > Off topic for Debian but relevant to your question I came across an > article today in Ars Technica : > http://arstechnica.com/security/guides/2011/01/stay-safe-at-a-public-wi-fi-hotspot.ars > > Might be worth reading if you are in the blue regarding security > implications of open networks. I'm not a security expert, but nothing in that article suggest to me that I would be more exposed on a public rather then on an encrypted wifi, but I'm open to hear otherwise. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client
On Ma, 04 ian 11, 09:31:52, Eduardo M KALINOWSKI wrote: > On Ter, 04 Jan 2011, Andrei Popescu wrote: > >Would you care to explain why you find an open wireless to be more > >dangerous than your regular internet connection? > > Because anyone nearby with a laptop can sniff the traffic, unlike > with a regular cabled internet connection or a password protected > wireless network (in which traffic in encrypted)? The wireless encrypts the traffic only between my laptop and my AP. Beyond my AP the wireless encryptions does not bring any additional security. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client
On Tue 04 Jan 2011 at 09:20:39 -0500, Brad Alexander wrote: > If you are on a public wifi, you can turn off ssh server (the client > will still work) and nrpe (the Nagios client). On the other hand, if > you turn off password auth in ssh, you should be relatively safe > leaving ssh running. xmpp is the jabber client, and if you are not > using chat, then that should be turned off. Why should any server which is safe to use on a home network become less safe when on any other network, public wifi or not? sshd, for example, is as impregnable in a café as it is in your kitchen. I'd have no qualms leaving every server I normally run in a listening state. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110104184017.gu32...@desktop
Re: firewall package for laptop wi-fi client
On Tue, Jan 4, 2011 at 6:23 AM, Eduardo M KALINOWSKI wrote: > On Ter, 04 Jan 2011, Brian wrote: >>> >>> Because anyone nearby with a laptop can sniff the traffic, unlike with a >>> regular cabled internet connection or a password protected wireless >>> network (in which traffic in encrypted)? >> >> For internet banking/shopping over https (which would be the norm) it >> wouldn't give them anything of value, would it? > > Only the URLs of what you visit. But many sites still don't use https even > for login. (Shame on them...) Or use https for login and later go back to > http, using cookies in a way that it is easy for others to hijack the > session, as the article mentions. I recall reading, maybe on Debian planet, a post about a guy who was running wireshark while on an open cafe network, and found that even though he was using https Bank of America was transmitting the password in clear text. Or something. I can't find it again, does that ring any bells for anyone? The point, if I remember, was that one your personal protected network you are protecting yourself and being protected. So both have to fail for you to be compromised. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimgpnkkjrhfsy4ezzfv08vxoss8xuhghqlxc...@mail.gmail.com
Re: firewall package for laptop wi-fi client
You should probably be running a plugin/extension that turns off flash and javascript, and let you selectively enable for individual sites. On firefox/iceweasel, these would be flashblock and noscript. I also have adblock plus installed. With careful use, this will cull out most of the malicious stuff. As for needing a firewall, if you run as few network services as possible, you really don't need a firewall, or at least minimal rules. For instance, my laptop has the following ports: PORT STATE SERVICE 22/tcp open ssh 5666/tcp open nrpe 8010/tcp open xmpp If you are on a public wifi, you can turn off ssh server (the client will still work) and nrpe (the Nagios client). On the other hand, if you turn off password auth in ssh, you should be relatively safe leaving ssh running. xmpp is the jabber client, and if you are not using chat, then that should be turned off. --b On Mon, Jan 3, 2011 at 5:02 AM, Jari Fredriksson wrote: > On 3.1.2011 11:55, Russell L. Harris wrote: > >> >>> The major threats are web browser security holes (update often) >>> especially through flash and java plug-ins, and pdf. >> >> Flash and java are in most web pages. Does a firewall not protect >> against these threats? or are browser updates necessary even with a >> firewall? >> > > Most web sites today do NOT have Java Applets. Javascript is NOT Java. > Totally different concept, and that is very common, almost 100% of web > sites do has Javascript. > > Firewall does not protect from Web Browser vulnerabilities, browser > updates are must. > > -- > > Tomorrow, this will be part of the unchangeable past but fortunately, > it can still be changed today. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/4d219ed2.60...@iki.fi > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=3n7bgcxicqvqck1h32bephtbw7aasqspfr...@mail.gmail.com
[OT] Re: firewall package for laptop wi-fi client
On the 04/01/2011 12:19, Andrei Popescu wrote: > On Lu, 03 ian 11, 12:28:25, tv.deb...@googlemail.com wrote: >> >> I wouldn't do my internet banking/shopping over such a network though... > > Would you care to explain why you find an open wireless to be more > dangerous than your regular internet connection? > > Regards, > Andrei [paranoid penguin mode on] Hi, I wasn't thinking only about session hijacking, cookies grabbing or various phishing and spoofing which are just too easy to perform on an open network, tools like "firesheep"[1] and ready made exploit kits make it available to the mass now. I am wondering how many social websites accounts have been cracked thanks to this, many teenagers consider it a game, they don't really understand the legal implications so they are not inhibited. I saw a case of middle school student faking an access point with a laptop on an open school network, it's easy to find video step-by-step tutorials to do all kind of nasty things, I can only imagine what a seasoned black hat can do. My other concern would be the environment in which such networks exist : coffee shops, train stations, hotels lobby, school hall... It opens an exiting array of old school techniques from simply eavesdropping passwords, using phone or laptop cameras to record typing, grab a picture of a credit card. This techniques are not specific to open networks, but add those data to what you can collect over an open network and it gets really mouth watering for a pirate I guess. I know Bruce Schneier wrote a nice piece advocating open wifi hotspots, but I wouldn't use it for anything else than checking the news, and certainly not for something involving password typing. Off course if you leave in the middle of a desert and run an open network, I guess it's fine. [1] http://threatscape.com/Advisory_04_Nov_2010__Firesheep.html [2] http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html [/paranoid penguin mode] -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d2322c9.5090...@googlemail.com
Re: firewall package for laptop wi-fi client
On Ter, 04 Jan 2011, Brian wrote: Because anyone nearby with a laptop can sniff the traffic, unlike with a regular cabled internet connection or a password protected wireless network (in which traffic in encrypted)? For internet banking/shopping over https (which would be the norm) it wouldn't give them anything of value, would it? Only the URLs of what you visit. But many sites still don't use https even for login. (Shame on them...) Or use https for login and later go back to http, using cookies in a way that it is easy for others to hijack the session, as the article mentions. -- Less is more or less more -- Y_Plentyn on #LinuxGER Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110104102335.19592gqi96msu...@mail.kalinowski.com.br
Re: firewall package for laptop wi-fi client
On Tue 04 Jan 2011 at 09:31:52 -0200, Eduardo M KALINOWSKI wrote: > Because anyone nearby with a laptop can sniff the traffic, unlike with a > regular cabled internet connection or a password protected wireless > network (in which traffic in encrypted)? For internet banking/shopping over https (which would be the norm) it wouldn't give them anything of value, would it? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110104115157.gt32...@desktop
Re: firewall package for laptop wi-fi client
http://lcamtuf.blogspot.com/2010/12/unencrypted-public-wifi-should-die.html http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=&filter_platform=45&filter_type=3&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= --- On Tue, 1/4/11, Andrei Popescu wrote: > From: Andrei Popescu > Subject: Re: firewall package for laptop wi-fi client > To: debian-user@lists.debian.org > Date: Tuesday, January 4, 2011, 11:19 AM > On Lu, 03 ian 11, 12:28:25, tv.deb...@googlemail.com > wrote: > > > > I wouldn't do my internet banking/shopping over such a > network though... > > Would you care to explain why you find an open wireless to > be more > dangerous than your regular internet connection? > > Regards, > Andrei > -- > Offtopic discussions among Debian users and developers: > http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/690903.15138...@web121403.mail.ne1.yahoo.com
Re: firewall package for laptop wi-fi client
On Ter, 04 Jan 2011, Andrei Popescu wrote: Would you care to explain why you find an open wireless to be more dangerous than your regular internet connection? Because anyone nearby with a laptop can sniff the traffic, unlike with a regular cabled internet connection or a password protected wireless network (in which traffic in encrypted)? -- By nature, men are nearly alike; by practice, they get to be wide apart. -- Confucius Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110104093152.46997afrbqyd6...@mail.kalinowski.com.br
Re: firewall package for laptop wi-fi client
On Lu, 03 ian 11, 12:28:25, tv.deb...@googlemail.com wrote: > > I wouldn't do my internet banking/shopping over such a network though... Would you care to explain why you find an open wireless to be more dangerous than your regular internet connection? Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client [going OT]
On the 03/01/2011 05:42, Russell L. Harris wrote: > I need recommendations for a Debian firewall package to be installed > on a laptop or notebook which is used for web browsing and web-based > email in public wi-fi hotspots. > > My concern is to prevent infection or compromise of the laptop, so > that the laptop may be connected safely to a home or > office LAN which is protected by a dedicated firewall. > > My previous experience with firewalls has been limited to dedicated > machines running firewall software such as SmoothWall. > > RLH > > Off topic for Debian but relevant to your question I came across an article today in Ars Technica : http://arstechnica.com/security/guides/2011/01/stay-safe-at-a-public-wi-fi-hotspot.ars Might be worth reading if you are in the blue regarding security implications of open networks. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d224d88.6080...@googlemail.com
Re: firewall package for laptop wi-fi client
On the 03/01/2011 10:55, Russell L. Harris wrote: > * tv.deb...@googlemail.com [110103 09:24]: > >> Hello, if you are looking for a graphical front end you can look at >> gufw, firestarter and guarddog. For text based tools I ear good things >> about shorewall. > > I am looking for a package which is easy to configure, whether text or > gui; in this respect firestarter looks good. Any will do, they default to allow out going connections but block inbound ones, sometimes with additional warnings/logging when a port scanning pattern or brute-force attack is detected. > > > >> But if you do only web browsing and email and don't run any >> web-facing services you should be fine anyway. > > I do not understand; what is a "web-facing service"? Anything listening on a port that is designed to accept connections from the "outside" (Internet). Could be any "server" like ftp, http server (apache...). Usually you are fine in Debian unless you purposefully install such a service and open the corresponding ports in your firewall. > > > >> The major threats are web browser security holes (update often) >> especially through flash and java plug-ins, and pdf. > > Flash and java are in most web pages. Does a firewall not protect > against these threats? or are browser updates necessary even with a > firewall? Flash is everywhere, the plugin is a proprietary closed-source beast known for being a security nightmare. Flash is also a power hog on laptops battery so if you can live without... Java isn't really common, but some sites requires to run java "applets" to login, some offer games through java, you can live without a java (or openjdk) plug-in more easily than flash. Don't get mixed-up with javascript, which is a different technology. For that one use a browser extension like "NoScript" which gives you sane default and allows for better control. > > >> Hosting windows virus in mails attachments can also be a problem if >> you have win machines on the lan, virus scanner clamav can help >> here. > > This is a Window$-free environment. Nice ;-) > > > >> Firewall alone won't protect you from man in the middle and such >> niceties on open untrusted networks. > > Understood. This need is for socializing around the table at > StarBucks, Internet cafes, etc. > > Thanks. > > RLH > Best security is achieved though understanding what's running on the machine, and how most common "threats" work. By design open password-less networks are insecure, but the risk remains low unless you are a known valuable target. The probability of someone eavesdropping you passwords or stealing your laptop is higher ! I wouldn't do my internet banking/shopping over such a network though... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d21b2d9.3050...@googlemail.com
Re: firewall package for laptop wi-fi client
Russell L. Harris:
> * tv.deb...@googlemail.com [110103 09:24]:
>
>> But if you do only web browsing and email and don't run any
>> web-facing services you should be fine anyway.
>
> I do not understand; what is a "web-facing service"?
It is a program accepting random connections from arbitrary source
addresses ("the internet"), like a web/FTP/mail server. In order to
check which programs listens on which port, post the output from
'netstat -tulpn' (run as root).
You should be aware that most people in here translate "firewall" as
"packet filter". Configuring a packet filter requires knowledge of
TCP/IP networking, so if you don't understand the term above, but still
feel the need to "secure" your system, you will need to learn about
that.
>> The major threats are web browser security holes (update often)
>> especially through flash and java plug-ins, and pdf.
>
> Flash and java are in most web pages. Does a firewall not protect
> against these threats?
If firewall == "packet filter": No. Otherwise: Maybe, but probably not.
> or are browser updates necessary even with a firewall?
Absolutely!
>> Firewall alone won't protect you from man in the middle and such
>> niceties on open untrusted networks.
>
> Understood. This need is for socializing around the table at
> StarBucks, Internet cafes, etc.
Check for open ports (see the netstat-command above), always install the
latest upgrades and make sure to use encrypted connections whenever
possible.
J.
--
If I could travel in time I would show my minidisc to the Romans and
become Caesar until the batteries ran out.
[Agree] [Disagree]
signature.asc
Description: Digital signature
Re: firewall package for laptop wi-fi client
On 3.1.2011 11:55, Russell L. Harris wrote: > >> The major threats are web browser security holes (update often) >> especially through flash and java plug-ins, and pdf. > > Flash and java are in most web pages. Does a firewall not protect > against these threats? or are browser updates necessary even with a > firewall? > Most web sites today do NOT have Java Applets. Javascript is NOT Java. Totally different concept, and that is very common, almost 100% of web sites do has Javascript. Firewall does not protect from Web Browser vulnerabilities, browser updates are must. -- Tomorrow, this will be part of the unchangeable past but fortunately, it can still be changed today. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d219ed2.60...@iki.fi
Re: firewall package for laptop wi-fi client
On Lu, 03 ian 11, 09:55:45, Russell L. Harris wrote: > > > But if you do only web browsing and email and don't run any > > web-facing services you should be fine anyway. > > I do not understand; what is a "web-facing service"? For example a web server (apache) or some other services accessible from outside (ftp, ssh, file-sharing, ...). A counter-example would be cups (the print server) which by default only accepts connections from the same machine. > > The major threats are web browser security holes (update often) > > especially through flash and java plug-ins, and pdf. > > Flash and java are in most web pages. Does a firewall not protect > against these threats? or are browser updates necessary even with a > firewall? A firewall is just an additional layer of protection against possible intruders, but it will not protect you against malware that affects programs which access the internet "over" the wall (like browsers and other *client* software) or software listening behind doors (ports) which you have opened on purpose, to make that software (service) accessible from the internet (like the web server above). > > Hosting windows virus in mails attachments can also be a problem if > > you have win machines on the lan, virus scanner clamav can help > > here. > > This is a Window$-free environment. As long as you don't run programs from outside Debian you can be 99,...% sure that your own software doesn't play ugly tricks on you, as many proprietary softwares do. Unfortunately the Adobe flash plugin is not from Debian (even though you can install it with the flashplugin-nonfree helper package from contrib) and has had vulnerabilities in the past :( > > Firewall alone won't protect you from man in the middle and such > > niceties on open untrusted networks. > > Understood. This need is for socializing around the table at > StarBucks, Internet cafes, etc. Maybe you could go into details about what software you are using, in order to get more specific recommendations. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall package for laptop wi-fi client
* tv.deb...@googlemail.com [110103 09:24]: > Hello, if you are looking for a graphical front end you can look at > gufw, firestarter and guarddog. For text based tools I ear good things > about shorewall. I am looking for a package which is easy to configure, whether text or gui; in this respect firestarter looks good. > But if you do only web browsing and email and don't run any > web-facing services you should be fine anyway. I do not understand; what is a "web-facing service"? > The major threats are web browser security holes (update often) > especially through flash and java plug-ins, and pdf. Flash and java are in most web pages. Does a firewall not protect against these threats? or are browser updates necessary even with a firewall? > Hosting windows virus in mails attachments can also be a problem if > you have win machines on the lan, virus scanner clamav can help > here. This is a Window$-free environment. > Firewall alone won't protect you from man in the middle and such > niceties on open untrusted networks. Understood. This need is for socializing around the table at StarBucks, Internet cafes, etc. Thanks. RLH -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110103095545.gb3...@rlharris.org
Re: firewall package for laptop wi-fi client
On the 03/01/2011 05:42, Russell L. Harris wrote: > I need recommendations for a Debian firewall package to be installed > on a laptop or notebook which is used for web browsing and web-based > email in public wi-fi hotspots. > > My concern is to prevent infection or compromise of the laptop, so > that the laptop may be connected safely to a home or > office LAN which is protected by a dedicated firewall. > > My previous experience with firewalls has been limited to dedicated > machines running firewall software such as SmoothWall. > > RLH > > Hello, if you are looking for a graphical front end you can look at gufw, firestarter and guarddog. For text based tools I ear good things about shorewall. But if you do only web browsing and email and don't run any web-facing services you should be fine anyway. The major threats are web browser security holes (update often) especially through flash and java plug-ins, and pdf. Hosting windows virus in mails attachments can also be a problem if you have win machines on the lan, virus scanner clamav can help here. Firewall alone won't protect you from man in the middle and such niceties on open untrusted networks. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d218609.4090...@googlemail.com
firewall package for laptop wi-fi client
I need recommendations for a Debian firewall package to be installed on a laptop or notebook which is used for web browsing and web-based email in public wi-fi hotspots. My concern is to prevent infection or compromise of the laptop, so that the laptop may be connected safely to a home or office LAN which is protected by a dedicated firewall. My previous experience with firewalls has been limited to dedicated machines running firewall software such as SmoothWall. RLH -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110103044227.ga2...@rlharris.org
