Firewall in Linux

Do you guys use firewall? Do you need firewall in Linux? I only use my computer at home or university but still would like to know if I should install a firewall. Thanks

Other urls found in this thread:

wiki.archlinux.org/index.php/Ufw
en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
twitter.com/NSFWRedditVideo

If you're behind a router, a software firewall isn't needed

If you dont want anyone accessing your pc. But you could use standard ifconfig

Yeah but what if I want to use my PC in a public network some day.

wiki.archlinux.org/index.php/Ufw

I will look into it. What safety measures should I take when connecting to a public network?

Ubuntu has a firewall it is enabled by default. You always need a firewall it is important. More important than shitty anti vir.

I am currently on Arch.

Nah, also don't use condoms. The risk is what makes life exciting.

Thanks for enlightening answer.

>doesn't know basic shit like installing a firewall
>uses arch
pottery

Thanks!

That's not true at all. If you're behind a router *doing NAT* you might be able to get away without a firewall. You can still get owned from within the LAN, and if your endpoint has a public IP being routed to it you're still boned. Have fun getting owned when your ISP gets around to enabling IPv6.

yes. I have 4 networks and they are all isolated. one of them is fire walled from accessing the web.
I can buy chink cams and not be on the botnet. anyone that tells you that you dont need a firewall can fuck right off. They are the same fools that got wannacried and mirad.

Whitelist the ports you need to have up, shut down everything else.
Secure the applications you know are listening to the ports.

>Do you guys use firewall?
Yes
>Do you need firewall in Linux?
Maybe
>I only use my computer at home
Maybe you can get by without a firewall
>or university
YOU NEED A FIREWALL
>but still would like to know if I should install a firewall.
You should.
If you are on laptop install firewalld along with networkmanager for automatic zone switching based on where you're connected
If you are on a desktop and you want to learn about network security stuff use shorewall
>Thanks
You're welcome

I just install gufw and turn it on...

>Do you guys use firewall?
yes
>Do you need firewall in Linux?
yes

ufw is shit, don't use that software coded by code monkeys that know nothing about security

What would you recommend?

The days of routers that do NAT but not firewalling ended over a decade ago. A default-deny firewall has been part of the basic things any router is expected to do for donkey's years, just like eg, DHCP.

raw iptables

I will check this out

Firestarter is a decent easy to use GUI for iptables. If you don't want to learn iptables then use that.

sudo apt install ufw
sudo ufw enable

Speaking as a security pro you should use a firewall to help harden your environment (so if you want to harden your computer then yes you should). If someone/something was in your network NAT isn’t going to save you. The best way to use the firewall is as a whitelist. Allow only both in bound and outbound traffic that you want and block everything else. I can say from experience it a little bit difficult figuring out all the ports you need at first.

Could you list the ports?

remember: drop all by default. open only what you need.

>this magic command fixes everything
No
If you don't have open ports you don't need a firewall
Default GNU/Linux installs tend not to have openports, unlike Windows
When you start having open ports by installing ssh, a web server, maybe a sql server you need a firewall but not ufw
Ufw teaches the egregious habit of manually managing the firewall continuously and turning it on and off
This is bad
Decide what services you want, on which interface, and *design* a firewall config that will work all the time, ideally with good logging and monitoring
Ufw teaches bad magic practices and should generally be avoided or at least teach users about the deficiencies before suggesting it

You can use iptables.

so what's wrong with using a front-end for iptables then? Why would ufw be shit if its just a different syntax for iptables rules?

I'll list a few off the top of my head, but you may want to google how to your distro and how to create a firewall whitelist

DNS = UDP/TCP 53
HTTP = 80
HTTPS = 443
NTP = (port can depend of linux distro i.e. google it) most like UDP 123


if you are using ssh
SSH = TCP 22 (make sure when you are changing firewall setting you aren't doing it over ssh or remote management protocols)

That should be it more most basic workstations, but it really depends on your distro (google it).
Try experimenting, if something breaks just disable the firewall and see if it works. You can also
get more paranoid with your rules by setting rule to only allow traffic to and from specified IP.
for example, I only allow SSH traffic from my laptop on my server (my laptop has a static IP address).

Helpful wiki article:
en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

nmap your linux workstation/server friend. you will find more than you knew.


I also forgot to mention that a lot of workstations run CUPS, which is open. you may want
to keep it open and accessible. do some google on that.
Also try nmap from a second computer on the same network.
You might find something open and listening.

I always have the firewall on
I'm saying that having no firewall is almost as bad as having a firewall where you don't know and you haven't designed the policy based on your needs

I'm getting off topic here but take Windows. It comes with a firewall enabled but then every program you install opens a port without notifying the user. Then there is the fucking upnp which allows any program to open ports at will. And even worse every home router I've come across has upnp on by default! There is technically a firewall but the user doesn't know the policy and hasn't designed the policy! They think that firewall is a magical thing that somehow protects them! And they don't know the importance of logging and monitoring. This is almost as bad as no firewall!

That's why I don't like ufw and gufw. I feel they bring this magical-thinking mentality to GNU/Linux

Are you asking for GNU or Android?

...

I agree with you, but you have to keep in mind firewall technology has evolved over time and has become
more complex. Stateful firewalls are almost standard on every OS, and their complexity is challenging. Tools
like the ones you mentioned help to simplify things, but they do make security less focused on the OS.
Convenience > Security
Also I agree that you are right that people think that just installing or enabling a firewall is enough and they are
wrong. It's an Antivirus mentality; I install security software so I'm good.
In the defense of some of these tools Windows has gotten better about asking
users to allow apps through the firewall before allowing it, the mac firewall can be configured
the same way (when its been enabled)
Linux is trying to come up with a more user friendly solution for the desktop, but it's a balancing act I believe
I still prefer iptables over the other tools because it feels more raw and flexible (which I like). I think the tools
are more personal choice at this point.

use firewall on local machine if you open ports on router to host stuff or use public wifi
never not use firewall on servers, make sure to use fail2ban on any service you host that requires an authentication

Thats why arch linux fags are retarded as fuck. They make their lifes hard

This.

/g always on about botnets, doesn't use Qubes OS, still using iptables.
Now excuse me, I have some win 10 gaming to do.

If you don't have a firewall, you have tens of thousands of open ports. Just because you don't have servers listening on them doesn't mean they're not open. You could have any number of other programs using them without your knowledge.

oh man, you're dumb or this is bait and I'm dumb. my money is on you

The tards saying ufw is bad form or useless either don't know their asses from holes in the ground or are spreading fud for law enforcement. It's fine. Use it.