92
When do I actually need a firewall? (sh.itjust.works)
submitted 9 months ago* (last edited 9 months ago) by Kalcifer@sh.itjust.works to c/linux@lemmy.ml
126 comments fedilink hide all child comments

I've spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:

  1. "It's just good security practice."
  2. "You need it if you are running a server."
  3. "You need it if you don't trust the other devices on the network."
  4. "You need it if you are not behind a NAT."
  5. "You need it if you don't trust the software running on your computer."

The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you're doing it -- it is essentially a non-answer. #2 is strange -- why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router's NAT at port 80 to open that server's port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one -- what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there's nothing to access. #4 feels like an extension of #3 -- only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don't know how it works), you don't want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device's actions.

If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it's acting like the front door to a house, but this analogy doesn't make much sense to me -- without a house (a service listening on a port), what good is a door?

(page 2) 50 comments
sorted by: hot top controversial new old
[-] GravitySpoiled@lemmy.ml 2 points 9 months ago* (last edited 9 months ago)

I've got two services on my computer. One is for email, I want that this port to be open to the public WAN and one is for immich which hosts all my private pictures, I don't want this port to be public but reachable on LAN. In my router I open the port for email but not for immich. Emal can communicate on LAN and WAN and immich only on LAN. On a foreign, untrusted LAN, like an airport I don't want other people being able to sniff my immich traffic which is why I have another firewall setting for an untrusted LAN.

load more comments (2 replies)
[-] kby@feddit.de 2 points 9 months ago

I personally use a firewall for containing the local services I am running on my non-server PC, ex. Tiny Tiny RSS. If I am only using Tiny Tiny RSS locally, it's just potentially dangerous to make this service visible and accessible for every client in my local network, which in my case, isn't populated by my own personal devices, as I live in a dormitory. Other than that, you can block the well-known ports of commonly exploited protocols such as UPnP. That's not because someone will "break into your device" with UPnP, but rather as a matter of digital autonomy, to control the mode of network communication done by the software on your device.

[-] bizdelnick@lemmy.ml 1 points 9 months ago

You always need it and you actually use it. The smarter question is when you need to customize its settings. Defaults are robust enough, so unless you know what and why you need to change, you don't.

[-] Kalcifer@sh.itjust.works 1 points 9 months ago

Defaults are robust enough

Would you mind defining what "defaults" are?

[-] bizdelnick@lemmy.ml 1 points 9 months ago

Defaults are the default settings of your firewall (netfilter in linux).

[-] Kalcifer@sh.itjust.works 1 points 9 months ago

Is netfilter not just the API through which you can make firewall rules (e.g. nftables) for the networking stack?

[-] thanks_shakey_snake@lemmy.ca 1 points 9 months ago

For me, it's primarily #5: I want to know which apps are accessing the network and when, and have control over what I allow and what I don't. I've caught lots of daemons for software that I hadn't noticed was running and random telemetry activity that way, and it's helped me sort-of sandbox software that IMO does not need access to the network.

Not much to say about the other reasons, other than #2 makes more sense in the context of working with other people: If your policy is "this is meant to be an HTTPS-only machine," then you might want to enforce that at the firewall level to prevent some careless developer from serving the app on port 80 (HTTP), or exposing the database port while they're throwing spaghetti at the wall wrestling with some bug. That careless developer could be future-you, of course. Then once you have a policy you like, it's also easier to copy a firewall config around to multiple machines (which may be running different apps), instead of just making sure to get it consistently right on a server-by-server basis.

So... Necessary? Not for any reason I can think of. But useful, especially as systems and teams grow.

load more comments (1 replies)
[-] Paragone@lemmy.ml 1 points 9 months ago* (last edited 9 months ago)

A couple of decades ago, iirc, SANS.org ( IF I'm remembering who it was who did it ) put a fresh-install of MS-Windows on a machine, & connected it to the internet.

It took SEVERAL MINUTES for it to be broken-into, & corrupted, botnetted.

The auto-attacks by botnets are continuous: hitting different ports, trying to break-in, automatically.

I've had linux desktops pwned from me.

the internet should be considered something like a mix of toxic & corrosive chemicals: "maybe" your hand will be fine, if you dip it in for a moment & immediately rinse it off ( for 3 hours ), but if you leave you limbs dwelling in the virulent slop, Bad Things(tm) are going to happen, sooner-or-later.

I used to de-infest Windows machines for my neighbours...

haven't done it in years: they'll not pay-for good anti-virus, they'll not resist installing malware: therefore there is no point.

Let 'em rot.

I've got a life to work-on uncrippling, & too-little strength/time left.

"but I don't need antivirus: i never get infected!!"

then how come I needed to de-infest it for you??

"but I don't need an immune-system: pathogens are a hoax!!"

get AIDS, then, & don't use anti-AIDS drugs, & see how "healthy" you are, 2 years in.

Same argument, different context-mapping.

Tarpit was a wonderful-looking invention, for Linux's netfilter/iptables, years ago: don't help botnets scan quickly & efficiently to help them find a way to break-in...

Anyways, just random thoughts from an old geek...

EDIT: "when do I need to wear a seatbelt?"

is essentially the same category of question.

_ /\ _

load more comments (1 replies)
load more comments
view more: ‹ prev next ›
this post was submitted on 25 Jan 2024
92 points (94.2% liked)

Linux

48210 readers
715 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz