LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-17-2017, 02:02 AM   #1
Zoquduan
LQ Newbie
 
Registered: Oct 2017
Posts: 1

Rep: Reputation: Disabled
Do i need a firewall on my home system (see explanation)


Dear Forum,

I finally made the complete switch to Linux coming from windows 10.
I'm currently running solus budgie on my home PC with standard applications and out of the box settings.

Do I need a firewall in Linux if im only really using firefox?
I'm living in a dorm and am connected to a password protected router in my dorm but other people are connected to so that may be a security issue right.

Anyway hope someone can help me, if im going to use a firewall then im going to use gufw with inbound traffic disabled and outbound enabled would that be safe enough or should I take other steps to ensure my systems security?

Thanks in advance,

Zoquduan
 
Old 10-17-2017, 02:57 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 17,237
Blog Entries: 10

Rep: Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160Reputation: 5160
you don't need to worry about this, esp. since the router settings are out of your control anyway...
no, Solus is safe to use "OOTB".
 
1 members found this post helpful.
Old 10-17-2017, 06:17 AM   #3
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
I know nothing about the distro you are using. However, that which I do not control I do not trust. If you do not control the firewalling provided by the router and do not know for certain what it does, I would run my own just to be safe and to make sure what I want blocked is blocked. Your requirements/goals may be different from those of the router administrator. UFW is a reasonable starting point. Taking the time to learn more about iptables would be a reasonable investment, also.
 
Old 10-17-2017, 06:48 AM   #4
dave@burn-it.co.uk
Member
 
Registered: Sep 2011
Distribution: Puppy
Posts: 601

Rep: Reputation: 172Reputation: 172
If there are untrusted users/machines on the the same side of the router firewall as you, then you DO need a software firewall to stop cross contamination.
 
Old 10-17-2017, 07:04 AM   #5
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,612
Blog Entries: 3

Rep: Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859
Quote:
Originally Posted by dave@burn-it.co.uk View Post
If there are untrusted users/machines on the the same side of the router firewall as you, then you DO need a software firewall to stop cross contamination.
If there aren't any services listening then a firewall won't do much more. If there are services listening and they are such that they can't be exposed to the net without a firewall, then a firewall won't help. Maybe filtering outgoing services might help detect a compromise, if they are logged in the right way, but setting that up is much more trouble than it is worth. The benefit is low and the effort needed high.

The case described here is that of using a web browser. That would be going out through the firewall anyway, if one was there. So even in that case a firewall won't help. If there are compromised or hostile machines on the same LAN then using a VPN to use an outside machine as a launching point might be useful. However a firewall as such won't make much of a difference one way or another.
 
Old 10-17-2017, 07:59 AM   #6
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
You don't always know what services may or may not be listening. If you are on a LAN then there are always at least one or two ports open for the members of the LAN to communicate unbeknownst to the user, especially if one or more of them are Windows machines. If you run a database server or client then there MAY be one or more ports open (MySQL uses 3306, for example) which the user may not be aware of even if they never use an external server. So, without some serious digging you really don't know what is or isn't listening. In addition, if anyone does ever get inside for even a moment, they may start using a port you know nothing about. A firewall just is, to me, a reasonable insurance policy at very little cost. It doesn't guarantee that nothing will happen, but it certainly helps and puts a stumbling block in the way of the bad guys. With judicious logging it also helps identify what is actually happening on your machine without going to the extent of something like wireshark.
 
Old 10-17-2017, 08:40 AM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,142
Blog Entries: 4

Rep: Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229
The purpose of a firewall is to block inbound connections. For instance, you might wish to use "file sharing" within your personal subnet, but you do not wish to allow computers on the outside to (attempt to) connect to your file-sharing and perhaps do nasty things to your data.

Fortunately, all routers manufactured these days include a firewall feature, and it is normally turned on by default.

If you need to securely access your network from the outside, I specifically recommend that you use OpenVPN, or some other VPN (e.g. if your router has support for it built-in or installable).

OpenVPN, with the tls-auth feature, offers the ability to securely "tunnel in" from the outside while being undetectable(!) from the outside. This is much more secure than attempting to use ssh, which merely attracts attackers like a lantern at a campsite. To authorized users, the facilities "inside" the network become available as though the authorized user were "inside." But it is an impenetrable secret(!) passageway.

Last edited by sundialsvcs; 10-17-2017 at 08:51 AM.
 
Old 10-17-2017, 08:57 AM   #8
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
Firewalls control both inbound and outbound traffic, as well as NAT and other things. Most of the router firewalls I have seen and/or used, although better than nothing, are inadequate in my opinion. They are limited in what they do and do not give the user enough control. I am sure there are exceptions but I, personally, have seen none. In addition many are intended to control traffic between the outside and the inside, not simple internal traffic. Even if they did, the requirements of one machine on a LAN may not be the requirements of another machine on a LAN. So, again in my opinion, although a router's firewall may be useful, it is inadequate as the ONLY firewall, especially with the speed of today's machines so firewalls do not really slow things noticeably and the ease of using one on an individual machine with UFW and others available at little or no financial cost.
 
Old 10-17-2017, 10:53 AM   #9
DavidMcCann
LQ Veteran
 
Registered: Jul 2006
Location: London
Distribution: PCLinuxOS, Debian
Posts: 5,771

Rep: Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133Reputation: 2133
I'd use a firewall, just to be on the safe side. After all, even if you don't need it, it's not going to make a nuisance of itself!

Use gufw to turn it on. All you need to do is run gufw and click on the OFF button to turn it on. Wait a few seconds, as it doesn't change from OFF to ON instantly — there are quite a few things for the computer to do.
 
Old 10-17-2017, 11:31 AM   #10
dave@burn-it.co.uk
Member
 
Registered: Sep 2011
Distribution: Puppy
Posts: 601

Rep: Reputation: 172Reputation: 172
Believe you me if you ever use your own machine at work, in a student residence, a library, an internet cafe, or let visiting machines use the internet in your own home, you will want a simple firewall on your machine.
This is becoming ever more important with the increasing number of mobile devices that try to latch on to the most powerful wifi signal they can find.
 
Old 10-17-2017, 08:16 PM   #11
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 17,397
Blog Entries: 27

Rep: Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405Reputation: 5405
I use a firewall on every machine with a network connection, even on VMs.
 
Old 10-17-2017, 08:46 PM   #12
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,142
Blog Entries: 4

Rep: Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229Reputation: 3229
Quote:
Originally Posted by dave@burn-it.co.uk View Post
Believe you me if you ever use your own machine at work, in a student residence, a library, an internet cafe, or let visiting machines use the internet in your own home, you will want a simple firewall on your machine.
This is becoming ever more important with the increasing number of mobile devices that try to latch on to the most powerful wifi signal they can find.
This is an extremely-important point in favor of (additional ...) "per-machine software firewalls."

If your machine is mobile, then it is necessarily "always on the outside." It can never count upon the existence of a "safeguarding perimeter." Therefore, it may at any time find itself "on the very same 'local' network" with machines (i.e. "in the same coffee shop or airport") that it cannot trust.

However, this necessarily begs the question: "exactly what, if anything, can it trust?"

To my way of thinking, the answer to this question must be: "absolutely nothing(!) that any sort of firewall can possibly be expected to filter out!" After all, "a firewall can only act upon 'IP addresses.'" It is in possession of no possible heuristic by which to know whether these IP's represent Friend, or Foe, or Neighbor.
 
Old 10-17-2017, 09:51 PM   #13
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
sundialsvcs:

In Linux, iptables is not limited to ip addresses. Specifically it can (and does) block or allow ports. Of course by applying policies it blocks or allows anything and everything that is not otherwise handled. It can also change its decisions based upon frequency limits, which interface a packet is coming in or going out on for example. As far as both ports and ip addresses go, it also differentiates between source and destination. So saying a firewall (in general) can only respond to ip addresses is not true and a gross oversimplification. Responding to ip addresses is a large part of what iptables does, but by far not the only thing.

The rest of what you say as far as trusting no one I will agree with. The old fisherman's adage of "All people are liars except for me and thee, and I'm not too sure about thee" is true when it comes to networking and the internet. You might mention, of course, that you have to protect yourself from bad guys, lazy people, dumb people, and others who just simply don't know better or don't care. There are far more of the latter types than just the bad guys and they probably do more damage because they play into the bad guys' hands.

Edit: I failed to point out that iptables also can react to tcp flags and protocols regardless of ip address.

Last edited by agillator; 10-17-2017 at 09:54 PM.
 
Old 10-18-2017, 04:29 AM   #14
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
The network switch is probably managed, so I doubt if it permits communication between inside clients.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking for explanation of X Windows System (X11) jantelo Linux - General 7 06-09-2013 06:09 AM
Good home/power home use firewall? hondaman Linux - Networking 3 04-05-2008 04:13 PM
grpconv nearly crashed my system... looking for explanation Half_Elf Linux - General 2 04-15-2004 05:23 PM
File system explanation? tarballed Linux - Newbie 4 02-17-2003 01:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration