this post was submitted on 27 Sep 2024

84 points (96.7% liked)

Linux

48129 readers

509 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

Firewalls: what SHOULD I block? (lemmy.wtf)

submitted 1 month ago by [email protected] to c/[email protected]

71 comments fedilink hide all child comments

Hey there folks,

I'm trying to figure out how to configure my UFW, and I'm just not sure where to start. What can I do to see the intetnet traffic from individual apps so I can know what I might want to block? This is just my personal computer and I'm a total newbie to configuring firewalls so I'm just not sure how to go about it. Most online guides seem to assume one already knows what they want to block but I don't even know how/where to monitor local traffic to figure out what I can/should consider blocking.

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 1 month ago

Lots of good answers here but I'll toss in my own "figure out what you need" experience from my first firewall funtime. (Disclaimer: I used nftables -- it should be similar to ufw in terms of defaults though).

Right off the bat, everything unneeded was blocked. I "needed" no configuration, except for maybe...
Whatever CUPS runs on (when I use it)
Sometimes I ran python -m http.server -- I unblocked port 8000 for personal use.
I chose to unblock port 53 (DNS). I wanted to connect to another computer via hostname IIRC (e.g. connecting to raspberry-pi.local. I might be misremembering this though).
At one point I played with NGINX -- that's port 80 (HTTP) and port 443 (HTTPS).
SSH was already permitted (port 22 -- you need root access to enable traffic through ports below 1024 anyway so this wasn't an issue for running typical apps)

I didn't use WireShark back then, really. I think I just ran something like

sudo lsof -nP -iTCP -sTCP:LISTEN

which showed me a bunch of port traffic (mostly just harmless language servers).

You don't have to dive to deep into all the "egress" and "ingress" and whatnot unless you're doing something special. Or your software uses a weird port. (LocalSend lol)

[–] [email protected] 1 points 1 month ago

You don't need a firewall on the LAN. It is just an annoyance to have to open ports later. Extra bureaucracy without benefits. This isn't Windows, you can can easily control your processes, choose if they bind to the network interface and on which port.

[–] [email protected] 23 points 1 month ago

If you really need one take white list approach. Block everything you don't need and only open what you need. Have fun finding out what you need.

[–] [email protected] 2 points 1 month ago (1 children)

I would advise that you ignore a lot if the advise here and do your own research. You probably don't need a local Firewall and if you want to block content use DNS and browser extensions

[–] [email protected] 3 points 1 month ago (1 children)

You probably don't need a local Firewall

If the computer never leaves the house, maybe. If it's ever on public Wi-Fi though, default deny inbound at a bare minimum. Linux computers with cups installed and running but no firewall were revealed yesterday to be vulnerable to RCE.

[–] [email protected] 1 points 1 month ago

Cups only listens on local host only by default. Also it requires you to connect to a printer which is unaffected by the Firewall.

[–] [email protected] 28 points 1 month ago* (last edited 1 month ago) (1 children)

By default it should be configured to allow all outgoing, and block all incoming. That's perfectly fine for a desktop/laptop and you don't need to mess with it.

You can't really do that much outgoing filtering with a firewall that will be useful, because basically everything operates on port 80/443, and often connects to the same CDNs or datacenter IPs for multiple services.

Instead DNS blocking is a much more effective way to handle it, plus uBlock Origin in your browser.

[–] [email protected] 11 points 1 month ago (2 children)

Just to clarify this comment for other "total newbies": yes, the UFW default config is fine and "you don't need to mess with it".

But by default UFW itself is not even enabled on any desktop OS. And you also don't need to mess with that. It's because the firewall is on the router.

OP said clearly that this "is just my personal computer" and here we all are spreading unintentional FUD about firewall configs as if it's for a public-facing server.

This pisses me off a bit because I remember having exactly the same anxiety as OP, to the point of thinking Linux must be incredibly insecure - how does this firewall work? dammit it's not even turned on!! And then I learned a bit more about networking.

This discussion should have begun with the basics, not the minutiae.

[–] [email protected] 1 points 1 month ago (1 children)

Its good practice to have a firewall local as well. However, you are right it about it not being to critical

[–] [email protected] 0 points 1 month ago

It's extra management without benefits.

But it also doesn't matter if you never open any ports.

Since 99.99% of users only consume content with a browser, then a firewall that blocks all incoming connections won't impact them negatively.

[–] [email protected] 3 points 1 month ago (2 children)

Many people use laptops and use other wifi networks or tether to their phone, both can expose you because of unknown firewall states or IPv6 being used.

[–] [email protected] 0 points 1 month ago

Your phone tether will NAT you and not route any incoming packets that aren't part of a connection initiated by your host. Firewwll does nothing and anyway you wouldn't even have any open port inside the LAN unless you run services that open ports.

[–] [email protected] 1 points 1 month ago

Yes, I am one of those people, literally all the time. This is the point of laptops.

And I use default Ubuntu Desktop config, kept up to date of course.

If that makes me and OP sitting targets, then maybe we should address this concern to the people who make distros rather than to a random anxious newbie.

load more comments