I beg to differ. What about renaming devices? How are updates handled? Using the argument that another OS has implies Linux needs it too is just having it because others have it too. That is not a sound argument if you ask me.

Besides, on Windows it fails if you only look at the .exe files. svchost.exe will load just anything that has .dll in it's name keeping svchost.exe itself legit.

Netfilter has logging capabilities. Furthermore, there is Selinux, PAX and all the other 'Security Subsystems' in the linux kernel dealing with that.

Why not make sure that the service does not get compromised in the first place? No need for tedious maintaining of rulesets that have the tendency to change on each update (furthermore, these rulesets have proven to be ineffective (i.e. almost every piece of malware uses port 80 or 443). If a service get's compromised you already lost.

I get your idea, I did this myself in Windows XP once. It was hell. Stuff just randomly broke.

From http://netfilter.org/projects/nftables/ :

Should have been more specific. I know about the backward compatibility. BUT, what I really ment was: Hopefully will simply replacing the old rules with the new syntax yield the same behaviour. I.e. no subtle changes that could imply a radical change.

My firewall is kind of 'complicated' (yes, I like reading docs).

The backward thing is kind off nice at best, but I would probably not be able to resist to rewrite once I get my hands on this. Fortunately, I'm stuck with 3.10 for the nvidia blob since nouveau causes my card to deadlock at really random moments.

IPTABLES(8) iptables 1.4.4 IPTABLES(8)

NAME
iptables - administration tool for IPv4 packet filtering and NAT

[ ....................... ]

owner
This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded
packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.

[!] --uid-owner username

[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

[!] --gid-owner groupname

[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range.

[!] --socket-exists
Matches if the packet is associated with a socket.

Well... yes. If you like creating a new user for each user/program combo then yes... .

Btw, this does not work for NFS and other kernel mounting protocols. Let alone incoming connections (OUTPUT and POSTROUTING) only.

Whatever works for you .

I like that, too. And Gentoo docs say pretty much "you don't need a firewall if you're behind NAT, dummy!". So I'm cool with following that advice.

Wait, yours too? Please see this: https://bugs.freedesktop.org/show_bug.cgi?id=69882

The NSA has a solution for you: selinux. And maybe you have control what your programs are listen to.

I wouldn't say that's a good thing.... a complicated firewall is much more likely to have holes in it than a simple one....

Yes, if you are behind a NAT device then everything is cool (in theory). But I like my laptop to not respond to closed ports (TCP, UDP) whenever something is not listening on it. I find this convenient if I'm at an unknown network. And once you have that figured out, why apply it to the desktop as well just to make the conf file management easier .

Furthermore, I also use a VPN (IPSEC) and allow internet connection sharing. You have to be careful of not allowing the person using your internet connection to access the other side of your IPSEC VPN (ever thought about that?). This could happen if you have a default rule for masquerading, which I require for my qemu hosts to work properly (this way they can access my home network).

Standard firewall is not safe once you have a slightly adventurous setup. And as you can see, I'm able to use netfilter to do some really nifty things. And yes, there have been moments where there was a hole. But it was never worse than the default configuration.

That being said, I don't trust my router which implies I'm replicating NAT on each box (your very own router can be hacked as well, why blindly trust it?). And then I also slapped some basic DDOS protection on it while I'm there.

I think, on and off, I have tweaked the firewall quite a few years. But I haven't touched in ages for a while, it's working *exactly* how I want it and how I expect it to do. Furthermore, tinkering like this helps you explorer more stuff about Linux. I leaned about ip, routing tables, MAC addresses, tcpdump (godsend), wireshark (tcpdump made cool) and the netfilter connection tracking tables.

I even went in the RFC docs once to differentiate NAT UDP packets that were either part of IKE (some bitfield is zero) or part of ESP itself. This taught me about bitfields.

Nope, at least you get output in dmesg. I get squat: https://bugs.freedesktop.org/show_bug.cgi?id=70566 . I even tried netconsole -> no output. Switched to the blob to rule out a defect card.

I wouldn't be surprised these cards are exhibiting this behaviour since nouveau does not reclock their engine's. We are actually using them in a way that they were not designed to.

Lol, look here at the first post. I call that insane.

Agreed. I block all protocols except TCP, UDP and ICMP. Then I make a policy based on the addrtype extension. If you really put some hard though in your design, then you can in fact create a nice structured firewall without losing oversight. I think I'll take my risk