Dear Forum,

I finally made the complete switch to Linux coming from windows 10.
I'm currently running solus budgie on my home PC with standard applications and out of the box settings.

Do I need a firewall in Linux if im only really using firefox?
I'm living in a dorm and am connected to a password protected router in my dorm but other people are connected to so that may be a security issue right.

Anyway hope someone can help me, if im going to use a firewall then im going to use gufw with inbound traffic disabled and outbound enabled would that be safe enough or should I take other steps to ensure my systems security?

Thanks in advance,

Zoquduan

you don't need to worry about this, esp. since the router settings are out of your control anyway...
no, Solus is safe to use "OOTB".

1 members found this post helpful.

I know nothing about the distro you are using. However, that which I do not control I do not trust. If you do not control the firewalling provided by the router and do not know for certain what it does, I would run my own just to be safe and to make sure what I want blocked is blocked. Your requirements/goals may be different from those of the router administrator. UFW is a reasonable starting point. Taking the time to learn more about iptables would be a reasonable investment, also.

If there are untrusted users/machines on the the same side of the router firewall as you, then you DO need a software firewall to stop cross contamination.

If there aren't any services listening then a firewall won't do much more. If there are services listening and they are such that they can't be exposed to the net without a firewall, then a firewall won't help. Maybe filtering outgoing services might help detect a compromise, if they are logged in the right way, but setting that up is much more trouble than it is worth. The benefit is low and the effort needed high.

The case described here is that of using a web browser. That would be going out through the firewall anyway, if one was there. So even in that case a firewall won't help. If there are compromised or hostile machines on the same LAN then using a VPN to use an outside machine as a launching point might be useful. However a firewall as such won't make much of a difference one way or another.

You don't always know what services may or may not be listening. If you are on a LAN then there are always at least one or two ports open for the members of the LAN to communicate unbeknownst to the user, especially if one or more of them are Windows machines. If you run a database server or client then there MAY be one or more ports open (MySQL uses 3306, for example) which the user may not be aware of even if they never use an external server. So, without some serious digging you really don't know what is or isn't listening. In addition, if anyone does ever get inside for even a moment, they may start using a port you know nothing about. A firewall just is, to me, a reasonable insurance policy at very little cost. It doesn't guarantee that nothing will happen, but it certainly helps and puts a stumbling block in the way of the bad guys. With judicious logging it also helps identify what is actually happening on your machine without going to the extent of something like wireshark.

The purpose of a firewall is to block inbound connections. For instance, you might wish to use "file sharing" within your personal subnet, but you do not wish to allow computers on the outside to (attempt to) connect to your file-sharing and perhaps do nasty things to your data.

Fortunately, all routers manufactured these days include a firewall feature, and it is normally turned on by default.

If you need to securely access your network from the outside, I specifically recommend that you use OpenVPN, or some other VPN (e.g. if your router has support for it built-in or installable).

OpenVPN, with the tls-auth feature, offers the ability to securely "tunnel in" from the outside while being undetectable(!) from the outside. This is much more secure than attempting to use ssh, which merely attracts attackers like a lantern at a campsite. To authorized users, the facilities "inside" the network become available as though the authorized user were "inside." But it is an impenetrable secret(!) passageway.

Firewalls control both inbound and outbound traffic, as well as NAT and other things. Most of the router firewalls I have seen and/or used, although better than nothing, are inadequate in my opinion. They are limited in what they do and do not give the user enough control. I am sure there are exceptions but I, personally, have seen none. In addition many are intended to control traffic between the outside and the inside, not simple internal traffic. Even if they did, the requirements of one machine on a LAN may not be the requirements of another machine on a LAN. So, again in my opinion, although a router's firewall may be useful, it is inadequate as the ONLY firewall, especially with the speed of today's machines so firewalls do not really slow things noticeably and the ease of using one on an individual machine with UFW and others available at little or no financial cost.

I'd use a firewall, just to be on the safe side. After all, even if you don't need it, it's not going to make a nuisance of itself!

Use gufw to turn it on. All you need to do is run gufw and click on the OFF button to turn it on. Wait a few seconds, as it doesn't change from OFF to ON instantly — there are quite a few things for the computer to do.

Believe you me if you ever use your own machine at work, in a student residence, a library, an internet cafe, or let visiting machines use the internet in your own home, you will want a simple firewall on your machine.
This is becoming ever more important with the increasing number of mobile devices that try to latch on to the most powerful wifi signal they can find.

I use a firewall on every machine with a network connection, even on VMs.

This is an extremely-important point in favor of (additional ...) "per-machine software firewalls."

If your machine is mobile, then it is necessarily "always on the outside." It can never count upon the existence of a "safeguarding perimeter." Therefore, it may at any time find itself "on the very same 'local' network" with machines (i.e. "in the same coffee shop or airport") that it cannot trust.

However, this necessarily begs the question: "exactly what, if anything, can it trust?"

To my way of thinking, the answer to this question must be: "absolutely nothing(!) that any sort of firewall can possibly be expected to filter out!" After all, "a firewall can only act upon 'IP addresses.'" It is in possession of no possible heuristic by which to know whether these IP's represent Friend, or Foe, or Neighbor.

sundialsvcs:

In Linux, iptables is not limited to ip addresses. Specifically it can (and does) block or allow ports. Of course by applying policies it blocks or allows anything and everything that is not otherwise handled. It can also change its decisions based upon frequency limits, which interface a packet is coming in or going out on for example. As far as both ports and ip addresses go, it also differentiates between source and destination. So saying a firewall (in general) can only respond to ip addresses is not true and a gross oversimplification. Responding to ip addresses is a large part of what iptables does, but by far not the only thing.

The rest of what you say as far as trusting no one I will agree with. The old fisherman's adage of "All people are liars except for me and thee, and I'm not too sure about thee" is true when it comes to networking and the internet. You might mention, of course, that you have to protect yourself from bad guys, lazy people, dumb people, and others who just simply don't know better or don't care. There are far more of the latter types than just the bad guys and they probably do more damage because they play into the bad guys' hands.

Edit: I failed to point out that iptables also can react to tcp flags and protocols regardless of ip address.

The network switch is probably managed, so I doubt if it permits communication between inside clients.