this post was submitted on 25 Jan 2024

92 points (94.2% liked)

Linux

47756 readers

1305 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

When do I actually need a firewall? (sh.itjust.works)

submitted 8 months ago* (last edited 8 months ago) by Kalcifer@sh.itjust.works to c/linux@lemmy.ml

126 comments fedilink hide all child comments

I've spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:

"It's just good security practice."
"You need it if you are running a server."
"You need it if you don't trust the other devices on the network."
"You need it if you are not behind a NAT."
"You need it if you don't trust the software running on your computer."

The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you're doing it -- it is essentially a non-answer. #2 is strange -- why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router's NAT at port 80 to open that server's port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one -- what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there's nothing to access. #4 feels like an extension of #3 -- only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don't know how it works), you don't want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device's actions.

If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it's acting like the front door to a house, but this analogy doesn't make much sense to me -- without a house (a service listening on a port), what good is a door?

(page 3) 26 comments

sorted by: hot top controversial new old

[–] Paragone@lemmy.ml 0 points 8 months ago* (last edited 8 months ago) (1 children)

A couple of decades ago, iirc, SANS.org ( IF I'm remembering who it was who did it ) put a fresh-install of MS-Windows on a machine, & connected it to the internet.

It took SEVERAL MINUTES for it to be broken-into, & corrupted, botnetted.

The auto-attacks by botnets are continuous: hitting different ports, trying to break-in, automatically.

I've had linux desktops pwned from me.

the internet should be considered something like a mix of toxic & corrosive chemicals: "maybe" your hand will be fine, if you dip it in for a moment & immediately rinse it off ( for 3 hours ), but if you leave you limbs dwelling in the virulent slop, Bad Things(tm) are going to happen, sooner-or-later.

I used to de-infest Windows machines for my neighbours...

haven't done it in years: they'll not pay-for good anti-virus, they'll not resist installing malware: therefore there is no point.

Let 'em rot.

I've got a life to work-on uncrippling, & too-little strength/time left.

"but I don't need antivirus: i never get infected!!"

then how come I needed to de-infest it for you??

"but I don't need an immune-system: pathogens are a hoax!!"

get AIDS, then, & don't use anti-AIDS drugs, & see how "healthy" you are, 2 years in.

Same argument, different context-mapping.

Tarpit was a wonderful-looking invention, for Linux's netfilter/iptables, years ago: don't help botnets scan quickly & efficiently to help them find a way to break-in...

Anyways, just random thoughts from an old geek...

EDIT: "when do I need to wear a seatbelt?"

is essentially the same category of question.

_ /\ _

load more comments (1 replies)

[–] Petter1@lemm.ee 0 points 8 months ago* (last edited 8 months ago) (1 children)

You most likely don’t need on device firewall if your in your home network behind a router that has a firewall. If you‘d disable that firewall as well and one of your devices has e.g. SSH activated using username and password, than there is nothing stopping a "hacker" or "script kiddy" from penetrating/spamming your SSH port and brute force your password. The person than can take over your PC and can e.g. install software for his botnet or install keylogger or can overtake your browser session including all authentication cookies or many other bad stuff.

If you are using puplic WiFi, I’d recommend a good on device firewall, or better just use a VPN to get an encrypted tunnel to your home (where you would need to open a port for that tho) and go into the internet from there.

[–] Kalcifer@sh.itjust.works 1 points 8 months ago

You most likely don’t need on device firewall if your in your home network behind a router that has a firewall.

Under what circumstance(s) would one need a device firewall? If I were to guess, I would say that it is when the internet facing device doesn't contain a firewall within it (e.g. some enterprise-grade router), so a dedicated firewall device must exist behind it.

[–] TCB13@lemmy.world 0 points 8 months ago* (last edited 8 months ago) (1 children)

#1 leaves a lot to be desired, as it advocates for doing something without thinking about why you’re doing it – it is essentially a non-answer.

Agreed. That's mostly BS from people who make commissions from some vendor.

#2 is strange – why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?

A Firewall might be more advanced than just NAT/poking a hole, it may do intrusion detection (whatever that means) and DDoS protection

#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access.

Maybe you've a bunch of IoT devices in your network that are sold by a Chinese company or any IoT device (lol) and you don't want them to be able to access the internet because they'll establish connections to shady places and might be used to access your network and other devices inside it.

#5 is the only one that makes some sense;

Essentially the same answer and in #3

If we're talking about your home setup and/or homelab just don't get a hardware firewall, those are overpriced and won't add much value. You're better off by buying an OpenWRT compatible router and ditching your ISP router. OpenWRT does NAT and has a firewall that is easy to manage and setup whatever policies you might need to restrict specific devices. You'll also be able to setup things such as DoH / DoT for your entire network, setup a quick Wireguard VPN to access your local services from the outside in a safe way and maybe use it to setup a couple of network shares. Much more value for most people, way cheaper.

[–] Kalcifer@sh.itjust.works 1 points 8 months ago (1 children)

A Firewall might be more advanced than just NAT/poking a hole, it may do intrusion detection (whatever that means) and DDoS protection

I mean, sure, but the original question of why there's a need for a second firewall still exists.

Maybe you’ve a bunch of IoT devices in your network that are sold by a Chinese company or any IoT device (lol) and you don’t want them to be able to access the internet because they’ll establish connections to shady places and might be used to access your network and other devices inside it.

This doesn't really answer the question. The device without a firewall would still be on the same network as the "sketchy IoT devices". The question wasn't about whether or not you should have outgoing rules on the router preventing some devices from making contact with the outside world, but instead was about what risk there is to a device that doesn't have a firewall if it doesn't have any services listening.

Essentially the same answer and in #3

Somewhat, only I would solve it using an application layer firewall rather than a packet filtering firewall (if it's even possible to practically solve that with a packet filtering firewall without just dropping all outgoing packets, that is).

just don’t get a hardware firewall

What is the purpose of these devices? Is it because enterprise routers don't contain a firewall within them, so you need a dedicated device that offers that functionality?

[–] TCB13@lemmy.world 1 points 8 months ago* (last edited 8 months ago) (1 children)

I don't know what else is there to answer about the purpose of a hardware firewall.

Hardware firewalls have their use cases, mostly overkill for homelabs and most companies but they have specific features you may want that are hard or impossible to get in other ways.

A hardware firewall may do the following things:

Run DPI and effectively block machines on the network to access certain protocols, websites, hosts or detect whenever some user is about to download malware and block it;
Run stats and alert sysadmins of suspicious behaviors like a user sending large amount of confidential data to the outside;
Have "smart" AI features that will detect threats even when they aren't known yet;
Provide VPN endpoints and site-to-site connections. This is very common in brands like WatchGuard;
Higher throughput than your router while doing all the other operations above;
Better isolation.

An isolated device is the fact that you can then play around with your routers without having to think about the security as much - you may break them, mess some config but you can be sure that the firewall is still in place and doing its job. The firewall becomes both a virtual and a physical and physiological barrier between your network and the outside, there's less risk of plugging a wire on the wrong spot or a apply a configuration and suddenly having your entire network exposed.

Sure you may be able to setup something on OpenWRT to cover most of the things I listed before but how much time will you spend on that? Will it be as reliable? What about support? A Pi-hole is also another common solution for those problems, and it may work until a specific machines devices to ignore its DNS server and go straight to the router / outside.

You can even argue that you can virtualize something like pfSense or OPNsense on some host that also virtualizes your router and a bunch of other stuff, however, is it wise? Most likely not. Virtualization is mostly secure but we've seen cases from time to time where a compromised VM can be used to gain access to the host or other VMs, in this case the firewall could be hacked to access the entirety of your network.

When you've to manage larger networks, lets say 50* devices I believe it becomes easier to see how a hardware firewall can become useful. You can't simply trust all those machines, users and software policies in them to ensure that things are secure.

[–] Kalcifer@sh.itjust.works 1 points 8 months ago (1 children)

Have “smart” AI features that will detect threats even when they aren’t known yet;

This is a crazy one -- pattern recognition of traffic.

Higher throughput than your router while doing all the other operations above;

Fair point! I hadn't considered that one.

You can even argue that you can virtualize something like pfSense or OPNsense on some host

This is an intriguing idea. I hadn't heard of it before.

also virtualizes your router

How would one virtualize a router...? That sounds strange, to say the least.

load more comments (1 replies)

[–] ItsAFake@lemmus.org -5 points 8 months ago

It's to stop Genghis Khan from invading your computer.

load more comments