Do I need a special firewall on a personal computer
Multi tool use
I was wondering about Linux security issues. Most people agree that a virus-scanner is not useful on a linux system, but what about a firewall? I am using Debian wheezy stable and before used Ubuntu 12.04. If I only have a personal PC which is logged into a secured WLAN, do I need a firewall and what is already set up on the two OS mentioned above?
ubuntu security firewall debian
edited 2 days ago
Rui F Ribeiro
39.3k1479131
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
add a comment |
I was wondering about Linux security issues. Most people agree that a virus-scanner is not useful on a linux system, but what about a firewall? I am using Debian wheezy stable and before used Ubuntu 12.04. If I only have a personal PC which is logged into a secured WLAN, do I need a firewall and what is already set up on the two OS mentioned above?
ubuntu security firewall debian
edited 2 days ago
Rui F Ribeiro
39.3k1479131
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
You don't have to have one but it doesn't hurt, either. See unix.stackexchange.com/questions/2546/…
– goldilocks
Nov 6 '13 at 17:28
You could use a router with custom software. Tomato is nice.
– Faheem Mitha
Nov 6 '13 at 17:40
1
I'm not sure I see the need for one, given that all distros include tools likenetstat, where you can see exactly what TCP, UDP, etc ports are open and their status, and also where you can explicitly control known daemon processes. As near as I can tell, Windows users have firewalls because Windows 95 and early NT did not have the tools, or the documentation on what was listening, for folks to feel comfortable putting them on arbitrary networks.
– Bruce Ediger
Nov 6 '13 at 17:41
@BruceEdiger to centralize your policy.
– sourcejedi
2 days ago
add a comment |
I was wondering about Linux security issues. Most people agree that a virus-scanner is not useful on a linux system, but what about a firewall? I am using Debian wheezy stable and before used Ubuntu 12.04. If I only have a personal PC which is logged into a secured WLAN, do I need a firewall and what is already set up on the two OS mentioned above?
ubuntu security firewall debian
edited 2 days ago
Rui F Ribeiro
39.3k1479131
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
I was wondering about Linux security issues. Most people agree that a virus-scanner is not useful on a linux system, but what about a firewall? I am using Debian wheezy stable and before used Ubuntu 12.04. If I only have a personal PC which is logged into a secured WLAN, do I need a firewall and what is already set up on the two OS mentioned above?
ubuntu security firewall debian
ubuntu security firewall debian
edited 2 days ago
Rui F Ribeiro
39.3k1479131
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
edited 2 days ago
Rui F Ribeiro
39.3k1479131
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
edited 2 days ago
Rui F Ribeiro
39.3k1479131
edited 2 days ago
Rui F Ribeiro
39.3k1479131
edited 2 days ago
Rui F Ribeiro
39.3k1479131
39.3k1479131
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
asked Nov 6 '13 at 16:50
aldoradoaldorado
375716
375716
You don't have to have one but it doesn't hurt, either. See unix.stackexchange.com/questions/2546/…
– goldilocks
Nov 6 '13 at 17:28
You could use a router with custom software. Tomato is nice.
– Faheem Mitha
Nov 6 '13 at 17:40
1
I'm not sure I see the need for one, given that all distros include tools likenetstat, where you can see exactly what TCP, UDP, etc ports are open and their status, and also where you can explicitly control known daemon processes. As near as I can tell, Windows users have firewalls because Windows 95 and early NT did not have the tools, or the documentation on what was listening, for folks to feel comfortable putting them on arbitrary networks.
– Bruce Ediger
Nov 6 '13 at 17:41
@BruceEdiger to centralize your policy.
– sourcejedi
2 days ago
add a comment |
You don't have to have one but it doesn't hurt, either. See unix.stackexchange.com/questions/2546/…
– goldilocks
Nov 6 '13 at 17:28
You could use a router with custom software. Tomato is nice.
– Faheem Mitha
Nov 6 '13 at 17:40
1
I'm not sure I see the need for one, given that all distros include tools likenetstat, where you can see exactly what TCP, UDP, etc ports are open and their status, and also where you can explicitly control known daemon processes. As near as I can tell, Windows users have firewalls because Windows 95 and early NT did not have the tools, or the documentation on what was listening, for folks to feel comfortable putting them on arbitrary networks.
– Bruce Ediger
Nov 6 '13 at 17:41
@BruceEdiger to centralize your policy.
– sourcejedi
2 days ago
You don't have to have one but it doesn't hurt, either. See unix.stackexchange.com/questions/2546/…
– goldilocks
Nov 6 '13 at 17:28
You don't have to have one but it doesn't hurt, either. See unix.stackexchange.com/questions/2546/…
– goldilocks
Nov 6 '13 at 17:28
You could use a router with custom software. Tomato is nice.
– Faheem Mitha
Nov 6 '13 at 17:40
You could use a router with custom software. Tomato is nice.
– Faheem Mitha
Nov 6 '13 at 17:40
1
1
I'm not sure I see the need for one, given that all distros include tools like
netstat, where you can see exactly what TCP, UDP, etc ports are open and their status, and also where you can explicitly control known daemon processes. As near as I can tell, Windows users have firewalls because Windows 95 and early NT did not have the tools, or the documentation on what was listening, for folks to feel comfortable putting them on arbitrary networks.– Bruce Ediger
Nov 6 '13 at 17:41
I'm not sure I see the need for one, given that all distros include tools like
netstat, where you can see exactly what TCP, UDP, etc ports are open and their status, and also where you can explicitly control known daemon processes. As near as I can tell, Windows users have firewalls because Windows 95 and early NT did not have the tools, or the documentation on what was listening, for folks to feel comfortable putting them on arbitrary networks.– Bruce Ediger
Nov 6 '13 at 17:41
@BruceEdiger to centralize your policy.
– sourcejedi
2 days ago
@BruceEdiger to centralize your policy.
– sourcejedi
2 days ago
add a comment |
3 Answers
3
active
oldest
votes
Easy part first: There is no firewall set up by default on Debian or Ubuntu, or most Linux distros I know of.
Do you need a firewall on Linux? Probably not, because most programs on a Linux systems that are listening for incoming connections have to be explicitly started by someone, and were installed from package repositories run by the distro. And if you're on a trusted WLAN, your computer probably has a private IP address, and is connecting to a router using NAT with a public IP address, and that router also functions as a firewall.
Reasons you might need a firewall on Linux:
- There are many programs that start a web server (or some other sort of server) so you can interface with the program from any machine. If you don't need to remotely interface with this sort of program, you could use a firewall to block all connections not coming from the computer itself.
- You don't want your computer to respond to
ping. Then you would use a firewall to drop all ICMP packets. You can also have your firewall drop all packets requesting connections to closed ports without your computer responding at all. This will make you invisible to (practically all) port scans if, for example, you were using the WLAN in a shady coffee shop. - You connect directly to the Internet with a public IP address and then join a bunch of IRC chat rooms daring the occupants to hack you.
- You are being hunted by a nation-state.
answered Nov 7 '13 at 20:36
ashash
1562
add a comment |
You generally do not need a firewall ever.
A firewall (more precise a packet filter) is used to filter network packages, i.e. to allow some connections and disallow others.
Connection can be ingoing or outgoing.
An ingoing connection, i.e. someone else wants to connect to your computer, is only possible, if your computer offers some service. - For a private computer you just do not offer any services and no one else is able to connect to you. All without any firewall.
For outgoing connections, i.e. you are trying to connect to some other computer, you need some software to do so. For example you use a web browser to access some remote web server. - With all the linux distributions you typically install only software from the repository of your distribution of your choice. - As this software is usually open source, you can be pretty sure, this software is only doing what it claims to do. - A firewall will usually be of no help.
The only situation where a firewall makes sense is, if you want to offer some service to some specific part of the network. In this case you have to allow connection, but filer out those connection you do not want. - But even in this case there might be easier solutions like tcpwrapper or some configuration of your service.
You can use a command like sudo netstat -tupln to list all active services. Those might be bound to 127.0.0.1 which means they are only accessible from the same host or bound to 0.0.0.0 which means they are accessible from everywhere.
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
1
Without a firewall, there are no restrictions on incoming or outgoing packets, so it does not make sense to say you would only need one "if you want to offer some service to the network" but "filter out those connections you don't want". If you don't care about filtering packets "you don't want" when you are offering no services, why would you care about filtering packets if you are? The threat is more or less the same.
– goldilocks
Nov 6 '13 at 17:26
1
If you do not offer any service, all incoming connection are refused. - You do not need a firewall for that.
– michas
Nov 6 '13 at 17:43
Unless you are going to checknetstatevery two minutes, you'll never know if and when something has opened a listening port for whatever reason. Whereas if you use a firewall and log rejected packets, A) "something" won't work until you let it, B) you'll know when something outside tried and failed to connect to something inside. Also, without the firewall, anything can engage in any kind of communication with anyone anywhere, and you'll never know about that either.
– goldilocks
Nov 6 '13 at 19:03
Linux is not Windows, where it is common to install obscure software from arbitrary web pages, with unpredictable behavior. On Linux you install software from trusted repositories, with typically well defined behavior. (Of course this doesn't automatically mean, you cannot shoot your self in the foot with this.) - Logging all failed connections from outside will usually result in a very long list, which usually is only useful to create FUD. - Guess we should sum it up as "the topic is controversal". ;)
– michas
Nov 6 '13 at 19:55
Windows is more of a target, but unix.stackexchange.com/questions/96848/… etc -- linux isn't immune. Logging all blocked packets (particularly within a home LAN) should not amount to much, and allows you to notice if either your firewall config is hampering something, or if there is some intermittent mysterious "service" you didn't know about and would prefer to disable properly. If there are other systems on the network that do some regular (rejected) polling, just create a special rule for them to skip logging.
– goldilocks
Nov 6 '13 at 20:11
|
show 2 more comments
It is indeed not a great idea to expose open ports when you do not need them. It increases your exposure to security vulnerabilities in the relevant software.
You do not mention a separate guest WLAN, therefore I must assume that you will in future allow other devices such as a guest's laptop, or your own phone, to connect to the same WLAN. In turn, you should assume that your guests laptops are not trustworthy.
Neither of the two OS's have any firewall set up to start with.
Ubuntu aimed to meet something called "No Open Ports" by default. In a recent version, they are failing to do so. (Bug for Rhythmbox on Ubuntu).
A standard install of Debian Wheezy listens to UDP port 111, because it runs rpcbind. (As mentioned here )
I endorse checking your current open ports using ss or netstat. I use the instructions here. The two examples above are the main ones I would expect to find.
Definitely remove rpcbind if you are not using it. rpcbind is only required for NFS2 and NFS3. (It is not required for NFS4). If you have a personal PC and you do not know what NFS is, then you are not using NFS.
You may as well also disable the DAAP plugin in Rhythmbox, if you are not using it. (It is one method to access music over the local network. So you can just disable it and see if you lose any music :-).
The disadvantage of running a firewall, is the troubleshooting required when it blocks something you do need. For example if you want to use BitTorrent, you will need to configure your firewall to allow it, otherwise you will not be able to upload (and the tit-for-tat algorithm means this can slow your download).
I suggest a two-tier approach. First learn how to check ss or netstat. Make sure you disable/remove any programs listening on the network that you do not need. Secondly, configure a firewall.
When something is not working and you need to troubleshoot it, you will be able to 1) re-check what programs are listening on the network, and 2) entirely disable the firewall in good confidence.
If your problem goes away, you will know it is a firewall problem. You can start researching what ports you need to allow (or whether there is some more tricky problem :-). And hopefully eventually configure and re-enable the firewall, so that you are covered the next time Ubuntu forget about their flagship security policy and open up a new port that you do not need :-)
The ufw firewall is available for both Debian and Ubuntu. Ubuntu created it to provide an "Uncomplicated Firewall".
answered 2 days ago
sourcejedisourcejedi
23.1k437102
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f99104%2fdo-i-need-a-special-firewall-on-a-personal-computer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Easy part first: There is no firewall set up by default on Debian or Ubuntu, or most Linux distros I know of.
Do you need a firewall on Linux? Probably not, because most programs on a Linux systems that are listening for incoming connections have to be explicitly started by someone, and were installed from package repositories run by the distro. And if you're on a trusted WLAN, your computer probably has a private IP address, and is connecting to a router using NAT with a public IP address, and that router also functions as a firewall.
Reasons you might need a firewall on Linux:
- There are many programs that start a web server (or some other sort of server) so you can interface with the program from any machine. If you don't need to remotely interface with this sort of program, you could use a firewall to block all connections not coming from the computer itself.
- You don't want your computer to respond to
ping. Then you would use a firewall to drop all ICMP packets. You can also have your firewall drop all packets requesting connections to closed ports without your computer responding at all. This will make you invisible to (practically all) port scans if, for example, you were using the WLAN in a shady coffee shop. - You connect directly to the Internet with a public IP address and then join a bunch of IRC chat rooms daring the occupants to hack you.
- You are being hunted by a nation-state.
answered Nov 7 '13 at 20:36
ashash
1562
add a comment |
Easy part first: There is no firewall set up by default on Debian or Ubuntu, or most Linux distros I know of.
Do you need a firewall on Linux? Probably not, because most programs on a Linux systems that are listening for incoming connections have to be explicitly started by someone, and were installed from package repositories run by the distro. And if you're on a trusted WLAN, your computer probably has a private IP address, and is connecting to a router using NAT with a public IP address, and that router also functions as a firewall.
Reasons you might need a firewall on Linux:
- There are many programs that start a web server (or some other sort of server) so you can interface with the program from any machine. If you don't need to remotely interface with this sort of program, you could use a firewall to block all connections not coming from the computer itself.
- You don't want your computer to respond to
ping. Then you would use a firewall to drop all ICMP packets. You can also have your firewall drop all packets requesting connections to closed ports without your computer responding at all. This will make you invisible to (practically all) port scans if, for example, you were using the WLAN in a shady coffee shop. - You connect directly to the Internet with a public IP address and then join a bunch of IRC chat rooms daring the occupants to hack you.
- You are being hunted by a nation-state.
answered Nov 7 '13 at 20:36
ashash
1562
add a comment |
Easy part first: There is no firewall set up by default on Debian or Ubuntu, or most Linux distros I know of.
Do you need a firewall on Linux? Probably not, because most programs on a Linux systems that are listening for incoming connections have to be explicitly started by someone, and were installed from package repositories run by the distro. And if you're on a trusted WLAN, your computer probably has a private IP address, and is connecting to a router using NAT with a public IP address, and that router also functions as a firewall.
Reasons you might need a firewall on Linux:
- There are many programs that start a web server (or some other sort of server) so you can interface with the program from any machine. If you don't need to remotely interface with this sort of program, you could use a firewall to block all connections not coming from the computer itself.
- You don't want your computer to respond to
ping. Then you would use a firewall to drop all ICMP packets. You can also have your firewall drop all packets requesting connections to closed ports without your computer responding at all. This will make you invisible to (practically all) port scans if, for example, you were using the WLAN in a shady coffee shop. - You connect directly to the Internet with a public IP address and then join a bunch of IRC chat rooms daring the occupants to hack you.
- You are being hunted by a nation-state.
answered Nov 7 '13 at 20:36
ashash
1562
Easy part first: There is no firewall set up by default on Debian or Ubuntu, or most Linux distros I know of.
Do you need a firewall on Linux? Probably not, because most programs on a Linux systems that are listening for incoming connections have to be explicitly started by someone, and were installed from package repositories run by the distro. And if you're on a trusted WLAN, your computer probably has a private IP address, and is connecting to a router using NAT with a public IP address, and that router also functions as a firewall.
Reasons you might need a firewall on Linux:
- There are many programs that start a web server (or some other sort of server) so you can interface with the program from any machine. If you don't need to remotely interface with this sort of program, you could use a firewall to block all connections not coming from the computer itself.
- You don't want your computer to respond to
ping. Then you would use a firewall to drop all ICMP packets. You can also have your firewall drop all packets requesting connections to closed ports without your computer responding at all. This will make you invisible to (practically all) port scans if, for example, you were using the WLAN in a shady coffee shop. - You connect directly to the Internet with a public IP address and then join a bunch of IRC chat rooms daring the occupants to hack you.
- You are being hunted by a nation-state.
answered Nov 7 '13 at 20:36
ashash
1562
answered Nov 7 '13 at 20:36
ashash
1562
answered Nov 7 '13 at 20:36
ashash
1562
answered Nov 7 '13 at 20:36
ashash
1562
1562
add a comment |
add a comment |
You generally do not need a firewall ever.
A firewall (more precise a packet filter) is used to filter network packages, i.e. to allow some connections and disallow others.
Connection can be ingoing or outgoing.
An ingoing connection, i.e. someone else wants to connect to your computer, is only possible, if your computer offers some service. - For a private computer you just do not offer any services and no one else is able to connect to you. All without any firewall.
For outgoing connections, i.e. you are trying to connect to some other computer, you need some software to do so. For example you use a web browser to access some remote web server. - With all the linux distributions you typically install only software from the repository of your distribution of your choice. - As this software is usually open source, you can be pretty sure, this software is only doing what it claims to do. - A firewall will usually be of no help.
The only situation where a firewall makes sense is, if you want to offer some service to some specific part of the network. In this case you have to allow connection, but filer out those connection you do not want. - But even in this case there might be easier solutions like tcpwrapper or some configuration of your service.
You can use a command like sudo netstat -tupln to list all active services. Those might be bound to 127.0.0.1 which means they are only accessible from the same host or bound to 0.0.0.0 which means they are accessible from everywhere.
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
1
Without a firewall, there are no restrictions on incoming or outgoing packets, so it does not make sense to say you would only need one "if you want to offer some service to the network" but "filter out those connections you don't want". If you don't care about filtering packets "you don't want" when you are offering no services, why would you care about filtering packets if you are? The threat is more or less the same.
– goldilocks
Nov 6 '13 at 17:26
1
If you do not offer any service, all incoming connection are refused. - You do not need a firewall for that.
– michas
Nov 6 '13 at 17:43
Unless you are going to checknetstatevery two minutes, you'll never know if and when something has opened a listening port for whatever reason. Whereas if you use a firewall and log rejected packets, A) "something" won't work until you let it, B) you'll know when something outside tried and failed to connect to something inside. Also, without the firewall, anything can engage in any kind of communication with anyone anywhere, and you'll never know about that either.
– goldilocks
Nov 6 '13 at 19:03
Linux is not Windows, where it is common to install obscure software from arbitrary web pages, with unpredictable behavior. On Linux you install software from trusted repositories, with typically well defined behavior. (Of course this doesn't automatically mean, you cannot shoot your self in the foot with this.) - Logging all failed connections from outside will usually result in a very long list, which usually is only useful to create FUD. - Guess we should sum it up as "the topic is controversal". ;)
– michas
Nov 6 '13 at 19:55
Windows is more of a target, but unix.stackexchange.com/questions/96848/… etc -- linux isn't immune. Logging all blocked packets (particularly within a home LAN) should not amount to much, and allows you to notice if either your firewall config is hampering something, or if there is some intermittent mysterious "service" you didn't know about and would prefer to disable properly. If there are other systems on the network that do some regular (rejected) polling, just create a special rule for them to skip logging.
– goldilocks
Nov 6 '13 at 20:11
|
show 2 more comments
You generally do not need a firewall ever.
A firewall (more precise a packet filter) is used to filter network packages, i.e. to allow some connections and disallow others.
Connection can be ingoing or outgoing.
An ingoing connection, i.e. someone else wants to connect to your computer, is only possible, if your computer offers some service. - For a private computer you just do not offer any services and no one else is able to connect to you. All without any firewall.
For outgoing connections, i.e. you are trying to connect to some other computer, you need some software to do so. For example you use a web browser to access some remote web server. - With all the linux distributions you typically install only software from the repository of your distribution of your choice. - As this software is usually open source, you can be pretty sure, this software is only doing what it claims to do. - A firewall will usually be of no help.
The only situation where a firewall makes sense is, if you want to offer some service to some specific part of the network. In this case you have to allow connection, but filer out those connection you do not want. - But even in this case there might be easier solutions like tcpwrapper or some configuration of your service.
You can use a command like sudo netstat -tupln to list all active services. Those might be bound to 127.0.0.1 which means they are only accessible from the same host or bound to 0.0.0.0 which means they are accessible from everywhere.
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
1
Without a firewall, there are no restrictions on incoming or outgoing packets, so it does not make sense to say you would only need one "if you want to offer some service to the network" but "filter out those connections you don't want". If you don't care about filtering packets "you don't want" when you are offering no services, why would you care about filtering packets if you are? The threat is more or less the same.
– goldilocks
Nov 6 '13 at 17:26
1
If you do not offer any service, all incoming connection are refused. - You do not need a firewall for that.
– michas
Nov 6 '13 at 17:43
Unless you are going to checknetstatevery two minutes, you'll never know if and when something has opened a listening port for whatever reason. Whereas if you use a firewall and log rejected packets, A) "something" won't work until you let it, B) you'll know when something outside tried and failed to connect to something inside. Also, without the firewall, anything can engage in any kind of communication with anyone anywhere, and you'll never know about that either.
– goldilocks
Nov 6 '13 at 19:03
Linux is not Windows, where it is common to install obscure software from arbitrary web pages, with unpredictable behavior. On Linux you install software from trusted repositories, with typically well defined behavior. (Of course this doesn't automatically mean, you cannot shoot your self in the foot with this.) - Logging all failed connections from outside will usually result in a very long list, which usually is only useful to create FUD. - Guess we should sum it up as "the topic is controversal". ;)
– michas
Nov 6 '13 at 19:55
Windows is more of a target, but unix.stackexchange.com/questions/96848/… etc -- linux isn't immune. Logging all blocked packets (particularly within a home LAN) should not amount to much, and allows you to notice if either your firewall config is hampering something, or if there is some intermittent mysterious "service" you didn't know about and would prefer to disable properly. If there are other systems on the network that do some regular (rejected) polling, just create a special rule for them to skip logging.
– goldilocks
Nov 6 '13 at 20:11
|
show 2 more comments
You generally do not need a firewall ever.
A firewall (more precise a packet filter) is used to filter network packages, i.e. to allow some connections and disallow others.
Connection can be ingoing or outgoing.
An ingoing connection, i.e. someone else wants to connect to your computer, is only possible, if your computer offers some service. - For a private computer you just do not offer any services and no one else is able to connect to you. All without any firewall.
For outgoing connections, i.e. you are trying to connect to some other computer, you need some software to do so. For example you use a web browser to access some remote web server. - With all the linux distributions you typically install only software from the repository of your distribution of your choice. - As this software is usually open source, you can be pretty sure, this software is only doing what it claims to do. - A firewall will usually be of no help.
The only situation where a firewall makes sense is, if you want to offer some service to some specific part of the network. In this case you have to allow connection, but filer out those connection you do not want. - But even in this case there might be easier solutions like tcpwrapper or some configuration of your service.
You can use a command like sudo netstat -tupln to list all active services. Those might be bound to 127.0.0.1 which means they are only accessible from the same host or bound to 0.0.0.0 which means they are accessible from everywhere.
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
You generally do not need a firewall ever.
A firewall (more precise a packet filter) is used to filter network packages, i.e. to allow some connections and disallow others.
Connection can be ingoing or outgoing.
An ingoing connection, i.e. someone else wants to connect to your computer, is only possible, if your computer offers some service. - For a private computer you just do not offer any services and no one else is able to connect to you. All without any firewall.
For outgoing connections, i.e. you are trying to connect to some other computer, you need some software to do so. For example you use a web browser to access some remote web server. - With all the linux distributions you typically install only software from the repository of your distribution of your choice. - As this software is usually open source, you can be pretty sure, this software is only doing what it claims to do. - A firewall will usually be of no help.
The only situation where a firewall makes sense is, if you want to offer some service to some specific part of the network. In this case you have to allow connection, but filer out those connection you do not want. - But even in this case there might be easier solutions like tcpwrapper or some configuration of your service.
You can use a command like sudo netstat -tupln to list all active services. Those might be bound to 127.0.0.1 which means they are only accessible from the same host or bound to 0.0.0.0 which means they are accessible from everywhere.
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
answered Nov 6 '13 at 17:17
michasmichas
15.1k33771
15.1k33771
1
Without a firewall, there are no restrictions on incoming or outgoing packets, so it does not make sense to say you would only need one "if you want to offer some service to the network" but "filter out those connections you don't want". If you don't care about filtering packets "you don't want" when you are offering no services, why would you care about filtering packets if you are? The threat is more or less the same.
– goldilocks
Nov 6 '13 at 17:26
1
If you do not offer any service, all incoming connection are refused. - You do not need a firewall for that.
– michas
Nov 6 '13 at 17:43
Unless you are going to checknetstatevery two minutes, you'll never know if and when something has opened a listening port for whatever reason. Whereas if you use a firewall and log rejected packets, A) "something" won't work until you let it, B) you'll know when something outside tried and failed to connect to something inside. Also, without the firewall, anything can engage in any kind of communication with anyone anywhere, and you'll never know about that either.
– goldilocks
Nov 6 '13 at 19:03
Linux is not Windows, where it is common to install obscure software from arbitrary web pages, with unpredictable behavior. On Linux you install software from trusted repositories, with typically well defined behavior. (Of course this doesn't automatically mean, you cannot shoot your self in the foot with this.) - Logging all failed connections from outside will usually result in a very long list, which usually is only useful to create FUD. - Guess we should sum it up as "the topic is controversal". ;)
– michas
Nov 6 '13 at 19:55
Windows is more of a target, but unix.stackexchange.com/questions/96848/… etc -- linux isn't immune. Logging all blocked packets (particularly within a home LAN) should not amount to much, and allows you to notice if either your firewall config is hampering something, or if there is some intermittent mysterious "service" you didn't know about and would prefer to disable properly. If there are other systems on the network that do some regular (rejected) polling, just create a special rule for them to skip logging.
– goldilocks
Nov 6 '13 at 20:11
|
show 2 more comments
1
Without a firewall, there are no restrictions on incoming or outgoing packets, so it does not make sense to say you would only need one "if you want to offer some service to the network" but "filter out those connections you don't want". If you don't care about filtering packets "you don't want" when you are offering no services, why would you care about filtering packets if you are? The threat is more or less the same.
– goldilocks
Nov 6 '13 at 17:26
1
If you do not offer any service, all incoming connection are refused. - You do not need a firewall for that.
– michas
Nov 6 '13 at 17:43
Unless you are going to checknetstatevery two minutes, you'll never know if and when something has opened a listening port for whatever reason. Whereas if you use a firewall and log rejected packets, A) "something" won't work until you let it, B) you'll know when something outside tried and failed to connect to something inside. Also, without the firewall, anything can engage in any kind of communication with anyone anywhere, and you'll never know about that either.
– goldilocks
Nov 6 '13 at 19:03
Linux is not Windows, where it is common to install obscure software from arbitrary web pages, with unpredictable behavior. On Linux you install software from trusted repositories, with typically well defined behavior. (Of course this doesn't automatically mean, you cannot shoot your self in the foot with this.) - Logging all failed connections from outside will usually result in a very long list, which usually is only useful to create FUD. - Guess we should sum it up as "the topic is controversal". ;)
– michas
Nov 6 '13 at 19:55
Windows is more of a target, but unix.stackexchange.com/questions/96848/… etc -- linux isn't immune. Logging all blocked packets (particularly within a home LAN) should not amount to much, and allows you to notice if either your firewall config is hampering something, or if there is some intermittent mysterious "service" you didn't know about and would prefer to disable properly. If there are other systems on the network that do some regular (rejected) polling, just create a special rule for them to skip logging.
– goldilocks
Nov 6 '13 at 20:11
1
1
Without a firewall, there are no restrictions on incoming or outgoing packets, so it does not make sense to say you would only need one "if you want to offer some service to the network" but "filter out those connections you don't want". If you don't care about filtering packets "you don't want" when you are offering no services, why would you care about filtering packets if you are? The threat is more or less the same.
– goldilocks
Nov 6 '13 at 17:26
Without a firewall, there are no restrictions on incoming or outgoing packets, so it does not make sense to say you would only need one "if you want to offer some service to the network" but "filter out those connections you don't want". If you don't care about filtering packets "you don't want" when you are offering no services, why would you care about filtering packets if you are? The threat is more or less the same.
– goldilocks
Nov 6 '13 at 17:26
1
1
If you do not offer any service, all incoming connection are refused. - You do not need a firewall for that.
– michas
Nov 6 '13 at 17:43
If you do not offer any service, all incoming connection are refused. - You do not need a firewall for that.
– michas
Nov 6 '13 at 17:43
Unless you are going to check
netstat every two minutes, you'll never know if and when something has opened a listening port for whatever reason. Whereas if you use a firewall and log rejected packets, A) "something" won't work until you let it, B) you'll know when something outside tried and failed to connect to something inside. Also, without the firewall, anything can engage in any kind of communication with anyone anywhere, and you'll never know about that either.– goldilocks
Nov 6 '13 at 19:03
Unless you are going to check
netstat every two minutes, you'll never know if and when something has opened a listening port for whatever reason. Whereas if you use a firewall and log rejected packets, A) "something" won't work until you let it, B) you'll know when something outside tried and failed to connect to something inside. Also, without the firewall, anything can engage in any kind of communication with anyone anywhere, and you'll never know about that either.– goldilocks
Nov 6 '13 at 19:03
Linux is not Windows, where it is common to install obscure software from arbitrary web pages, with unpredictable behavior. On Linux you install software from trusted repositories, with typically well defined behavior. (Of course this doesn't automatically mean, you cannot shoot your self in the foot with this.) - Logging all failed connections from outside will usually result in a very long list, which usually is only useful to create FUD. - Guess we should sum it up as "the topic is controversal". ;)
– michas
Nov 6 '13 at 19:55
Linux is not Windows, where it is common to install obscure software from arbitrary web pages, with unpredictable behavior. On Linux you install software from trusted repositories, with typically well defined behavior. (Of course this doesn't automatically mean, you cannot shoot your self in the foot with this.) - Logging all failed connections from outside will usually result in a very long list, which usually is only useful to create FUD. - Guess we should sum it up as "the topic is controversal". ;)
– michas
Nov 6 '13 at 19:55
Windows is more of a target, but unix.stackexchange.com/questions/96848/… etc -- linux isn't immune. Logging all blocked packets (particularly within a home LAN) should not amount to much, and allows you to notice if either your firewall config is hampering something, or if there is some intermittent mysterious "service" you didn't know about and would prefer to disable properly. If there are other systems on the network that do some regular (rejected) polling, just create a special rule for them to skip logging.
– goldilocks
Nov 6 '13 at 20:11
Windows is more of a target, but unix.stackexchange.com/questions/96848/… etc -- linux isn't immune. Logging all blocked packets (particularly within a home LAN) should not amount to much, and allows you to notice if either your firewall config is hampering something, or if there is some intermittent mysterious "service" you didn't know about and would prefer to disable properly. If there are other systems on the network that do some regular (rejected) polling, just create a special rule for them to skip logging.
– goldilocks
Nov 6 '13 at 20:11
|
show 2 more comments
It is indeed not a great idea to expose open ports when you do not need them. It increases your exposure to security vulnerabilities in the relevant software.
You do not mention a separate guest WLAN, therefore I must assume that you will in future allow other devices such as a guest's laptop, or your own phone, to connect to the same WLAN. In turn, you should assume that your guests laptops are not trustworthy.
Neither of the two OS's have any firewall set up to start with.
Ubuntu aimed to meet something called "No Open Ports" by default. In a recent version, they are failing to do so. (Bug for Rhythmbox on Ubuntu).
A standard install of Debian Wheezy listens to UDP port 111, because it runs rpcbind. (As mentioned here )
I endorse checking your current open ports using ss or netstat. I use the instructions here. The two examples above are the main ones I would expect to find.
Definitely remove rpcbind if you are not using it. rpcbind is only required for NFS2 and NFS3. (It is not required for NFS4). If you have a personal PC and you do not know what NFS is, then you are not using NFS.
You may as well also disable the DAAP plugin in Rhythmbox, if you are not using it. (It is one method to access music over the local network. So you can just disable it and see if you lose any music :-).
The disadvantage of running a firewall, is the troubleshooting required when it blocks something you do need. For example if you want to use BitTorrent, you will need to configure your firewall to allow it, otherwise you will not be able to upload (and the tit-for-tat algorithm means this can slow your download).
I suggest a two-tier approach. First learn how to check ss or netstat. Make sure you disable/remove any programs listening on the network that you do not need. Secondly, configure a firewall.
When something is not working and you need to troubleshoot it, you will be able to 1) re-check what programs are listening on the network, and 2) entirely disable the firewall in good confidence.
If your problem goes away, you will know it is a firewall problem. You can start researching what ports you need to allow (or whether there is some more tricky problem :-). And hopefully eventually configure and re-enable the firewall, so that you are covered the next time Ubuntu forget about their flagship security policy and open up a new port that you do not need :-)
The ufw firewall is available for both Debian and Ubuntu. Ubuntu created it to provide an "Uncomplicated Firewall".
answered 2 days ago
sourcejedisourcejedi
23.1k437102
add a comment |
It is indeed not a great idea to expose open ports when you do not need them. It increases your exposure to security vulnerabilities in the relevant software.
You do not mention a separate guest WLAN, therefore I must assume that you will in future allow other devices such as a guest's laptop, or your own phone, to connect to the same WLAN. In turn, you should assume that your guests laptops are not trustworthy.
Neither of the two OS's have any firewall set up to start with.
Ubuntu aimed to meet something called "No Open Ports" by default. In a recent version, they are failing to do so. (Bug for Rhythmbox on Ubuntu).
A standard install of Debian Wheezy listens to UDP port 111, because it runs rpcbind. (As mentioned here )
I endorse checking your current open ports using ss or netstat. I use the instructions here. The two examples above are the main ones I would expect to find.
Definitely remove rpcbind if you are not using it. rpcbind is only required for NFS2 and NFS3. (It is not required for NFS4). If you have a personal PC and you do not know what NFS is, then you are not using NFS.
You may as well also disable the DAAP plugin in Rhythmbox, if you are not using it. (It is one method to access music over the local network. So you can just disable it and see if you lose any music :-).
The disadvantage of running a firewall, is the troubleshooting required when it blocks something you do need. For example if you want to use BitTorrent, you will need to configure your firewall to allow it, otherwise you will not be able to upload (and the tit-for-tat algorithm means this can slow your download).
I suggest a two-tier approach. First learn how to check ss or netstat. Make sure you disable/remove any programs listening on the network that you do not need. Secondly, configure a firewall.
When something is not working and you need to troubleshoot it, you will be able to 1) re-check what programs are listening on the network, and 2) entirely disable the firewall in good confidence.
If your problem goes away, you will know it is a firewall problem. You can start researching what ports you need to allow (or whether there is some more tricky problem :-). And hopefully eventually configure and re-enable the firewall, so that you are covered the next time Ubuntu forget about their flagship security policy and open up a new port that you do not need :-)
The ufw firewall is available for both Debian and Ubuntu. Ubuntu created it to provide an "Uncomplicated Firewall".
answered 2 days ago
sourcejedisourcejedi
23.1k437102
add a comment |
It is indeed not a great idea to expose open ports when you do not need them. It increases your exposure to security vulnerabilities in the relevant software.
You do not mention a separate guest WLAN, therefore I must assume that you will in future allow other devices such as a guest's laptop, or your own phone, to connect to the same WLAN. In turn, you should assume that your guests laptops are not trustworthy.
Neither of the two OS's have any firewall set up to start with.
Ubuntu aimed to meet something called "No Open Ports" by default. In a recent version, they are failing to do so. (Bug for Rhythmbox on Ubuntu).
A standard install of Debian Wheezy listens to UDP port 111, because it runs rpcbind. (As mentioned here )
I endorse checking your current open ports using ss or netstat. I use the instructions here. The two examples above are the main ones I would expect to find.
Definitely remove rpcbind if you are not using it. rpcbind is only required for NFS2 and NFS3. (It is not required for NFS4). If you have a personal PC and you do not know what NFS is, then you are not using NFS.
You may as well also disable the DAAP plugin in Rhythmbox, if you are not using it. (It is one method to access music over the local network. So you can just disable it and see if you lose any music :-).
The disadvantage of running a firewall, is the troubleshooting required when it blocks something you do need. For example if you want to use BitTorrent, you will need to configure your firewall to allow it, otherwise you will not be able to upload (and the tit-for-tat algorithm means this can slow your download).
I suggest a two-tier approach. First learn how to check ss or netstat. Make sure you disable/remove any programs listening on the network that you do not need. Secondly, configure a firewall.
When something is not working and you need to troubleshoot it, you will be able to 1) re-check what programs are listening on the network, and 2) entirely disable the firewall in good confidence.
If your problem goes away, you will know it is a firewall problem. You can start researching what ports you need to allow (or whether there is some more tricky problem :-). And hopefully eventually configure and re-enable the firewall, so that you are covered the next time Ubuntu forget about their flagship security policy and open up a new port that you do not need :-)
The ufw firewall is available for both Debian and Ubuntu. Ubuntu created it to provide an "Uncomplicated Firewall".
answered 2 days ago
sourcejedisourcejedi
23.1k437102
It is indeed not a great idea to expose open ports when you do not need them. It increases your exposure to security vulnerabilities in the relevant software.
You do not mention a separate guest WLAN, therefore I must assume that you will in future allow other devices such as a guest's laptop, or your own phone, to connect to the same WLAN. In turn, you should assume that your guests laptops are not trustworthy.
Neither of the two OS's have any firewall set up to start with.
Ubuntu aimed to meet something called "No Open Ports" by default. In a recent version, they are failing to do so. (Bug for Rhythmbox on Ubuntu).
A standard install of Debian Wheezy listens to UDP port 111, because it runs rpcbind. (As mentioned here )
I endorse checking your current open ports using ss or netstat. I use the instructions here. The two examples above are the main ones I would expect to find.
Definitely remove rpcbind if you are not using it. rpcbind is only required for NFS2 and NFS3. (It is not required for NFS4). If you have a personal PC and you do not know what NFS is, then you are not using NFS.
You may as well also disable the DAAP plugin in Rhythmbox, if you are not using it. (It is one method to access music over the local network. So you can just disable it and see if you lose any music :-).
The disadvantage of running a firewall, is the troubleshooting required when it blocks something you do need. For example if you want to use BitTorrent, you will need to configure your firewall to allow it, otherwise you will not be able to upload (and the tit-for-tat algorithm means this can slow your download).
I suggest a two-tier approach. First learn how to check ss or netstat. Make sure you disable/remove any programs listening on the network that you do not need. Secondly, configure a firewall.
When something is not working and you need to troubleshoot it, you will be able to 1) re-check what programs are listening on the network, and 2) entirely disable the firewall in good confidence.
If your problem goes away, you will know it is a firewall problem. You can start researching what ports you need to allow (or whether there is some more tricky problem :-). And hopefully eventually configure and re-enable the firewall, so that you are covered the next time Ubuntu forget about their flagship security policy and open up a new port that you do not need :-)
The ufw firewall is available for both Debian and Ubuntu. Ubuntu created it to provide an "Uncomplicated Firewall".
answered 2 days ago
sourcejedisourcejedi
23.1k437102
edited 2 days ago
answered 2 days ago
sourcejedisourcejedi
23.1k437102
answered 2 days ago
sourcejedisourcejedi
23.1k437102
answered 2 days ago
sourcejedisourcejedi
23.1k437102
23.1k437102
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f99104%2fdo-i-need-a-special-firewall-on-a-personal-computer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
m,l8t2o5opoTTXROgIPhTJ vgVaneGFBitC1szafL6W,zNMi44tr 1fJbM5iJDUf,je,Xg6JQbzvDcVrYc23X,Ym1 5cAz3
You don't have to have one but it doesn't hurt, either. See unix.stackexchange.com/questions/2546/…
– goldilocks
Nov 6 '13 at 17:28
You could use a router with custom software. Tomato is nice.
– Faheem Mitha
Nov 6 '13 at 17:40
1
I'm not sure I see the need for one, given that all distros include tools like
netstat, where you can see exactly what TCP, UDP, etc ports are open and their status, and also where you can explicitly control known daemon processes. As near as I can tell, Windows users have firewalls because Windows 95 and early NT did not have the tools, or the documentation on what was listening, for folks to feel comfortable putting them on arbitrary networks.– Bruce Ediger
Nov 6 '13 at 17:41
@BruceEdiger to centralize your policy.
– sourcejedi
2 days ago