Firewall documentation is outdated

Bug #377039 reported by bodhi.zazen on 2009-05-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-docs (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: ubuntu-docs

Just looking at some of the documentation.

Came across this page : https://help.ubuntu.com/9.04/keeping-safe/C/firewall.html

I have a few concerns about this information.

First the default firewall is iptables and I think we should point out firestarter and other tools are for configuration.

Second, the default config tool is now ufw, gufw if you want a GUI config tool. Installing firestarter conflicts with ufw, so at a minimum ufw needs to be removed. (Failure of firestarter due to conflicts with ufw are frequent of the forums).

Examples:

http://ubuntuforums.org/showthread.php?t=795472
http://ubuntuforums.org/showthread.php?t=1009441
http://ubuntuforums.org/showthread.php?t=1157663
http://ubuntuforums.org/showthread.php?t=1060135

Firestarter is showing it's age :

http://ubuntuforums.org/showthread.php?t=1127005

Third, IMO, Firestarter is out dated. The project is not longer maintained and is showing it's age. I do not believe we should be advising firestarter, rather we should at least mention iptables and then follow through with information on ufw (for servers) and gufw (desktops).

While on the subject of iptables - may I suggest we review the documentation for configuring iptables ? Yes there are tools to configure iptables, but honestly it takes as long to learn iptables as it does to say use guarddog or shorewall. IMO it would be nice to make the documentation on iptables as new user friendly as possible, possibly an introductory page on networking , network protocols, and ports ? Hopefully the introductory page can be basic enough that it applies to all firewall config tools.

People install these things and then have no idea what to do with them :

http://ubuntuforums.org/showthread.php?t=1007968

:)

bodhi.zazen

Related branches

Connor Imes (ckimes) wrote :

I would also like to nominate the following wiki pages for needing work on this topic:
https://help.ubuntu.com/community/Firestarter
https://help.ubuntu.com/community/IptablesHowTo

Thanks for filing this bodhi :)

Changed in ubuntu-docs (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Connor Imes (ckimes) wrote :

bodhi.zazen and I will work to update the Community Doc pages relating to firewalls, then will update the system docs.
One of the key things that is missing is a centralized Firewall page on the community docs, so we will create that as well.

summary: - Firestarter is outdated
+ Firewall documentation is outdated
Changed in ubuntu-docs (Ubuntu):
status: Confirmed → In Progress
Connor Imes (ckimes) wrote :

Just an update: We have a frontpage for firewall documentation:
   https://help.ubuntu.com/community/Firewall
Also wrote a page for Gufw:
   https://help.ubuntu.com/community/Gufw
And updated UFW page (and moved it):
   https://help.ubuntu.com/community/UFW

Iptables page - https://help.ubuntu.com/community/Iptables - hasn't been updated yet, but bodhi.zazen will write up something to replace the existing firewall page in the system docs (which at the moment only really talks about Firestarter [outdated]), and I'll put it into Docbook XML. The plan is to get this in before the Karmic String Freeze on October 1.

I revised the firewall documentation :)

Feedback welcome

----- Original Message -----
From: "Connor Imes" <email address hidden>
To: "bodhi zazen" <email address hidden>
Sent: Tuesday, September 22, 2009 8:34:44 PM
Subject: [Bug 377039] Re: Firewall documentation is outdated

Just an update: We have a frontpage for firewall documentation:
   https://help.ubuntu.com/community/Firewall
Also wrote a page for Gufw:
   https://help.ubuntu.com/community/Gufw
And updated UFW page (and moved it):
   https://help.ubuntu.com/community/UFW

Iptables page - https://help.ubuntu.com/community/Iptables - hasn't been
updated yet, but bodhi.zazen will write up something to replace the
existing firewall page in the system docs (which at the moment only
really talks about Firestarter [outdated]), and I'll put it into Docbook
XML. The plan is to get this in before the Karmic String Freeze on
October 1.

--
Firewall documentation is outdated
https://bugs.launchpad.net/bugs/377039
You received this bug notification because you are a direct subscriber
of the bug.

bodhi.zazen (bodhi.zazen) wrote :

You may wish to configure a firewall to protect your computer from unauthorized access.

Understanding a few basic concepts will help you configure a firewall and should be sufficient for most desktop users.

First, keep in mind Linux, and thus Ubuntu, is modular. This means that rather then one large program that "does it all" , several smaller applications are used. Often there is more then one option for each individual component.

Firewall

The firewall is called netfilter and by default is permissive, meaning it allows all traffic. netfilter can be configured using a command line program iptables.

Configuration Tools.

There are several tools that can be used to configure a firewall.

UFW is a command line tool included with Ubuntu. To activate your firewall open a terminal and type

[code]sudo ufw enable[/code]

For the vast majority of desktop users ufw is sufficient.

Many people prefer graphical configuration tools and the default graphical tool in Ubuntu is gufw. It can be installed using Add/Remove programs, synaptic, or command line tools and is available from your menu under

System -> Administration -> Firewall Configuration.

To active your firewall , click (check off) the "Enabled" button on the Left, under "Actual Status".

If you prefer, several additional configuration tools are available in the Ubuntu repositories including Firestarter, Guard dog, and Shorewall.

Testing and Monitoring your network traffic (firewall).

Because Ubuntu is modular we have separate options to test and monitor network traffic.

To test your firewall it is best to scan it from a second computer and nmap is a popular application to use. Again you will need to install nmap , then run

[code]nmap -vAPN ip_address[/code]

To see what services are associated with the open ports run

[code]lsof -i -n -P[/code]

Actual monitoring of your network traffic can be done with either wireshark or snort. Wireshark will analyze the network packets (of information) and snort is used in NIDS (Network Intrusion Detection System) and will notify you of unusual traffic.

Connor Imes (ckimes) wrote :

Here is a proposed diff for updating the keeping-safe docs on firewall usage, based on bodhi's feedback and suggestions. The material for firestarter is still there (slightly modified), and I added in mention of UFW and simple directions on using Gufw. Also gave links to the UFW and Gufw community docs pages which contain valuable information. Finally there is additional mentioning of using nmap to test ports in a new section called "Testing the firewall and monitoring network traffic". This section can be expanded on in the future if desired.

The serverguide already mentions UFW, so I didn't make any changes in firewall documentation there.

I hope we can get this approved and committed before the Karmic string freeze.

Changed in ubuntu-docs (Ubuntu):
status: In Progress → Triaged
tags: added: patch
Matthew East (mdke) wrote :

I've applied this patch to the karmic branch - thanks!

By way of review I've made some changes in revision 355, feel free to shout if you disagree with any of them. The most significant is to remove the section on firestarter entirely, as per bodhi.zazen's original post. I think that there is no point recommending two different tools.

One of the other things I've tried to do in the review is to "de-technalise" it a bit. I've removed the use of the word "frontend" which is not a word that most users will understand, and tried to add a couple of explanatory sentences. Again, any criticism is welcome!

Changed in ubuntu-docs (Ubuntu):
status: Triaged → Fix Committed
bodhi.zazen (bodhi.zazen) wrote :

Thank you Matthew.

One of my issues is that I tend to be - -verbose and actually I struggled to be as short as I was in my recomendations.

GUFW should be sufficient for the vast majority of Desktop Users (some would say over kill).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-docs - 9.10.8

---------------
ubuntu-docs (9.10.8) karmic; urgency=low

  * General:
    - Refresh pot files
  * hardware.xml:
    - Update jockey instructions to reflect UI changes from some time ago (LP: #281143)
    - Remove link to deprecated section in accessibility guide (LP: #293842)
  * internet.xml:
    - Network manager network list no longer has radio buttons, Dean Sas
  * keeping-safe.xml:
    - Update firewall section, Connor Imes / bodhi.zazen (LP: #377039)
  * usb-creator.xml:
    - Add manual for usb-creator, new document by Augustina Blair
  * serverguide.xml:
    - Add additional information for configuring TLS with OpenLDAP and gnutls, PeterNSteinmetz (LP: #437483)

 -- Matthew East <email address hidden> Sun, 27 Sep 2009 17:26:16 +0100

Changed in ubuntu-docs (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers