When do I actually need a firewall?

ItsAFake , 5 months ago

It's to stop Genghis Khan from invading your computer.

lemmyvore , 5 months ago

You need to understand the mindset behind running a firewall, and that mindset is that you define with mathematical precision what's possible within the network connectivity of a device, you leave nothing to chance or circumstance, because doing so would be sloppy.

Provided you want to subscribe to this mindset, and that the circumstances of that device warrant it, and that you have the networking knowledge to pull it off, you should in theory start with a DENY policy on everything and open up specific ports for specific users and related connections only. But it's not trivial and if you're a beginner it's best done directly on the server console, because you WILL break your SSH connection doing this. And of course maybe not persist the firewall rules permanently until you've learned more and can verify you can get in.

Now obviously this is an extreme mindset and yes you should use it in a professional setting. As a hobbyist? Up to you. In theory you don't need a firewall if your server only exposes the services you want to expose and you were gonna expose them through the firewall anyway. In practice, keeping track on what's running on a box and what's using what connections can be a bit harder than that.

If you're a beginner my recommendation is to use a dedicated router running OpenWRT with LUCI, which comes with a sensible firewall out of the box, an easy to use UI, and other goodies like an easy to use DNS+DHCP server combo and the ability to install plugins for DoH, DDNS etc.

Kalcifer OP , 5 months ago

because you WILL break your SSH connection doing this

Haha, yeah, I've certainly inadvertently done this when I was first learning about how firewalls worked on Linux.

GravitySpoiled , 5 months ago (edited 5 months ago)

I've got two services on my computer. One is for email, I want that this port to be open to the public WAN and one is for immich which hosts all my private pictures, I don't want this port to be public but reachable on LAN. In my router I open the port for email but not for immich. Emal can communicate on LAN and WAN and immich only on LAN. On a foreign, untrusted LAN, like an airport I don't want other people being able to sniff my immich traffic which is why I have another firewall setting for an untrusted LAN.

Kalcifer OP , 5 months ago

This example feels mildly contrived, as it is probably unlikely that one would have an email server running on a mobile device, but I understand your point.

I have another firewall setting for an untrusted LAN

This sounds interesting. Is it possible to implement this with a packet filtering firewall (e.g. nftables)?

GravitySpoiled , 5 months ago

Probably

iopq , 5 months ago

Even if you do trust the software running on your computer, did you actually fuzz it for vulnerabilities? Heartbleed could steal your passwords even if you ran ostensibly trustworthy software.

So unless you harden the software and prove it's completely exploit-free, then you can't trust it.

Kalcifer OP , 5 months ago

Heartbleed could steal your passwords even if you ran ostensibly trustworthy software.

Heartbleed is independent of a firewall though -- it's a protocol vulnerability that was patched into a specific library -- this feels somewhat like a strawman argument.

So unless you harden the software and prove it’s completely exploit-free, then you can’t trust it.

The type of "firewall" that I am referring to operates at layer 3/4. From what I understand, you seem to be describing exploits closer to the application layer.

iopq , 5 months ago

I'm not saying there would be a Heartbleed 2.0 that you need a firewall against

I'm saying unless you read the code you're running, including the firmware and the kernel, how can you trust there isn't a remote execution exploit?

At work I showed a trivial remote execution using an upload form. If we didn't run php, it wouldn't happen. If the folder had proper .htaccess, it wouldn't happen. If we didn't trust the uploader's MIME type, it wouldn't happen.

There's something to be said about defense in depth. Even if you have some kind of a bug or exploit, the firewall just blocking everything might save you.

Kalcifer OP , 5 months ago

I’m saying unless you read the code you’re running, including the firmware and the kernel, how can you trust there isn’t a remote execution exploit?

A packet filtering firewall isn't able to protect against server, or protocol exploits directly. Sure, if you know that connections originating from a specific IP are malicious, then you can drop connections originating from that IP, but it will not be able to direclty protect against application layer exploits.

There do exist application layer firewalls (an example of which was pointed out to me here (opensnitch)), but those are out of the scope of this post.

bizdelnick , 5 months ago

You always need it and you actually use it. The smarter question is when you need to customize its settings. Defaults are robust enough, so unless you know what and why you need to change, you don't.

Kalcifer OP , 5 months ago

Defaults are robust enough

Would you mind defining what "defaults" are?

bizdelnick , 5 months ago

Defaults are the default settings of your firewall (netfilter in linux).

Kalcifer OP , 5 months ago

Is netfilter not just the API through which you can make firewall rules (e.g. nftables) for the networking stack?

TCB13 , 5 months ago

#1 leaves a lot to be desired, as it advocates for doing something without thinking about why you’re doing it – it is essentially a non-answer.

Agreed. That's mostly BS from people who make commissions from some vendor.

#2 is strange – why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?

A Firewall might be more advanced than just NAT/poking a hole, it may do intrusion detection (whatever that means) and DDoS protection

#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access.

Maybe you've a bunch of IoT devices in your network that are sold by a Chinese company or any IoT device (lol) and you don't want them to be able to access the internet because they'll establish connections to shady places and might be used to access your network and other devices inside it.

#5 is the only one that makes some sense;

Essentially the same answer and in #3

If we're talking about your home setup and/or homelab just don't get a hardware firewall, those are overpriced and won't add much value. You're better off by buying an OpenWRT compatible router and ditching your ISP router. OpenWRT does NAT and has a firewall that is easy to manage and setup whatever policies you might need to restrict specific devices. You'll also be able to setup things such as DoH / DoT for your entire network, setup a quick Wireguard VPN to access your local services from the outside in a safe way and maybe use it to setup a couple of network shares. Much more value for most people, way cheaper.

Kalcifer OP , 5 months ago

A Firewall might be more advanced than just NAT/poking a hole, it may do intrusion detection (whatever that means) and DDoS protection

I mean, sure, but the original question of why there's a need for a second firewall still exists.

Maybe you’ve a bunch of IoT devices in your network that are sold by a Chinese company or any IoT device (lol) and you don’t want them to be able to access the internet because they’ll establish connections to shady places and might be used to access your network and other devices inside it.

This doesn't really answer the question. The device without a firewall would still be on the same network as the "sketchy IoT devices". The question wasn't about whether or not you should have outgoing rules on the router preventing some devices from making contact with the outside world, but instead was about what risk there is to a device that doesn't have a firewall if it doesn't have any services listening.

Essentially the same answer and in #3

Somewhat, only I would solve it using an application layer firewall rather than a packet filtering firewall (if it's even possible to practically solve that with a packet filtering firewall without just dropping all outgoing packets, that is).

just don’t get a hardware firewall

What is the purpose of these devices? Is it because enterprise routers don't contain a firewall within them, so you need a dedicated device that offers that functionality?

TCB13 , 5 months ago

I don't know what else is there to answer about the purpose of a hardware firewall.

Hardware firewalls have their use cases, mostly overkill for homelabs and most companies but they have specific features you may want that are hard or impossible to get in other ways.

A hardware firewall may do the following things:

• Run DPI and effectively block machines on the network to access certain protocols, websites, hosts or detect whenever some user is about to download malware and block it;
• Run stats and alert sysadmins of suspicious behaviors like a user sending large amount of confidential data to the outside;
• Have "smart" AI features that will detect threats even when they aren't known yet;
• Provide VPN endpoints and site-to-site connections. This is very common in brands like WatchGuard;
• Higher throughput than your router while doing all the other operations above;
• Better isolation.

An isolated device is the fact that you can then play around with your routers without having to think about the security as much - you may break them, mess some config but you can be sure that the firewall is still in place and doing its job. The firewall becomes both a virtual and a physical and physiological barrier between your network and the outside, there's less risk of plugging a wire on the wrong spot or a apply a configuration and suddenly having your entire network exposed.

Sure you may be able to setup something on OpenWRT to cover most of the things I listed before but how much time will you spend on that? Will it be as reliable? What about support? A Pi-hole is also another common solution for those problems, and it may work until a specific machines devices to ignore its DNS server and go straight to the router / outside.

You can even argue that you can virtualize something like pfSense or OPNsense on some host that also virtualizes your router and a bunch of other stuff, however, is it wise? Most likely not. Virtualization is mostly secure but we've seen cases from time to time where a compromised VM can be used to gain access to the host or other VMs, in this case the firewall could be hacked to access the entirety of your network.

When you've to manage larger networks, lets say 50* devices I believe it becomes easier to see how a hardware firewall can become useful. You can't simply trust all those machines, users and software policies in them to ensure that things are secure.

Kalcifer OP , 5 months ago

Have “smart” AI features that will detect threats even when they aren’t known yet;

This is a crazy one -- pattern recognition of traffic.

Higher throughput than your router while doing all the other operations above;

Fair point! I hadn't considered that one.

You can even argue that you can virtualize something like pfSense or OPNsense on some host

This is an intriguing idea. I hadn't heard of it before.

also virtualizes your router

How would one virtualize a router...? That sounds strange, to say the least.

TCB13 , 4 months ago

[virtualized router/firewall] This is an intriguing idea. I hadn’t heard of it before.

• https://forum.opnsense.org/index.php?topic=31809.0
• https://docs.netgate.com/pfsense/en/latest/virtualization/index.html
• https://www.sdxcentral.com/networking/nfv/definitions/whats-network-functions-virtualization-nfv/nfv-elements-overview/whats-a-virtual-router-vrouter/
• https://hometechhacker.com/how-why-i-built-virtual-router/
• https://netshopisp.medium.com/pros-and-cons-of-installing-pfsense-as-virtual-vs-dedicated-server-9e12d39c4cfd
• https://openwrt.org/docs/guide-user/virtualization/qemu

Virtualized routers and firewalls are more common than you might think, specially in large datacenters and other deployments that require a lot of flexibility / SDN.

Other people just like the convenience of having a single machine / mini PC whatever that runs everything from their router/firewall to their NAS and VMs to self-host stuff.

But... at the end of the day virtualization is only mostly secure and we’ve seen cases where a compromised VM can be used to gain access to the host or other VMs, in this case the firewall could be hacked to access the entirety of your network.

Petter1 , 5 months ago

You most likely don’t need on device firewall if your in your home network behind a router that has a firewall. If you‘d disable that firewall as well and one of your devices has e.g. SSH activated using username and password, than there is nothing stopping a "hacker" or "script kiddy" from penetrating/spamming your SSH port and brute force your password. The person than can take over your PC and can e.g. install software for his botnet or install keylogger or can overtake your browser session including all authentication cookies or many other bad stuff.

If you are using puplic WiFi, I’d recommend a good on device firewall, or better just use a VPN to get an encrypted tunnel to your home (where you would need to open a port for that tho) and go into the internet from there.

Kalcifer OP , 5 months ago

You most likely don’t need on device firewall if your in your home network behind a router that has a firewall.

Under what circumstance(s) would one need a device firewall? If I were to guess, I would say that it is when the internet facing device doesn't contain a firewall within it (e.g. some enterprise-grade router), so a dedicated firewall device must exist behind it.

thanks_shakey_snake , 5 months ago

For me, it's primarily #5: I want to know which apps are accessing the network and when, and have control over what I allow and what I don't. I've caught lots of daemons for software that I hadn't noticed was running and random telemetry activity that way, and it's helped me sort-of sandbox software that IMO does not need access to the network.

Not much to say about the other reasons, other than #2 makes more sense in the context of working with other people: If your policy is "this is meant to be an HTTPS-only machine," then you might want to enforce that at the firewall level to prevent some careless developer from serving the app on port 80 (HTTP), or exposing the database port while they're throwing spaghetti at the wall wrestling with some bug. That careless developer could be future-you, of course. Then once you have a policy you like, it's also easier to copy a firewall config around to multiple machines (which may be running different apps), instead of just making sure to get it consistently right on a server-by-server basis.

So... Necessary? Not for any reason I can think of. But useful, especially as systems and teams grow.

Kalcifer OP , 5 months ago

I’ve caught lots of daemons for software that I hadn’t noticed was running and random telemetry activity that way

I did the exact same thing recently when I installed OpenSnitch -- it was quite interesting to see all the requests that were being made.

If your policy is “this is meant to be an HTTPS-only machine,” then you might want to enforce that at the firewall level to prevent some careless developer from serving the app on port 80 (HTTP), or exposing the database port while they’re throwing spaghetti at the wall wrestling with some bug. That careless developer could be future-you, of course.

That's a fair point!

Atemu , 5 months ago

#2 is strange -- why does it matter?

It doesn't. If you're running a laptop with a local web server for development, you wouldn't want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?

If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router's NAT at port 80 to open that server's port to the public. What difference does it make to then have another firewall that needs to be port forwarded?

Who is "they"? What about all the other ports?

Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?

Obviously you shouldn't have insecure things listening there in the fist place but you don't always get to choose whether some thing you're hosting is currently secure or not or may not care too much because it's just on the local network and you didn't expose it to the internet.
This is what defense in depth is about; making it less likely for something to happen or the attack less potent even if your primary protections have failed.

#3 is a strange one -- what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there's nothing to access

Mostly addressed by the above but also note that you likely do have applications listening on ports you didn't know about. Take a look at sudo ss -utpnl.

#5 is the only one that makes some sense; if you install a program that you do not trust (you don't know how it works), you don't want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device's actions.

It's rather the other way around; you don't want the outside world to be able to talk to untrusted software on your computer. To be a classical "door", the application must be able to listen to connections.

OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.

People seem to treat it as if it's acting like the front door to a house, but this analogy doesn't make much sense to me -- without a house (a service listening on a port), what good is a door?

I'd rather liken it to a razor fence around your house, protecting you from thieves even getting near it. Your windows are likely safe from intrusion but they're known to be fragile. Razor fence can also be cut through but not everyone will have the skill or patience to do so.

If it turned out your window could easily be opened from the outside, you'd rather have razor fence in front until you can replace the window, would you?

Kalcifer OP , 5 months ago

If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?

This is a fair point that I hadn't considered for the mobile use-case.

Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?

Fair point!

note that you likely do have applications listening on ports you didn't know about. Take a look at sudo ss -utpnl.

Interesting! In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?

It's rather the other way around; you don't want the outside world to be able to talk to untrusted software on your computer. To be a classical "door", the application must be able to listen to connections.

OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.

It could also be malicious software that simply makes a request to a remote server -- perhaps even siphoning your local data.

If it turned out your window could easily be opened from the outside, you'd rather have razor fence in front until you can replace the window, would you?

Fair point!

Atemu , 5 months ago

In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?

That's exactly the kind of thing I meant :)

These are likely for things like in-house streaming, LAN game downloads and remote music playing, so you may even want to consider explicitly allowing them through the firewall but they're also potential security holes of applications running under your user that you have largely no control over.

Kalcifer OP , 5 months ago

These are likely for things like in-house streaming, LAN game downloads and remote music playing, so you may even want to consider explicitly allowing them through the firewall

I looked up a few of the ports, and yeah an example of one of them was Steam Remote Play.

wolf , 5 months ago

Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always (and even being extremely specialized, I would still enable a firewall. :-P)

Operating systems nowadays are extremely complex with a lot of moving parts. There are security relevant bugs in your network stack and in all applications that you are running. There might be open ports on your computer you did not even think about, and unless you are monitoring 24/7 your local open ports, you don't know what is open.

First of all, you can never trust other devices on a network. There is no way to know, if they are compromised. You can also never trust the software running on your own computer - just look at CVEs, even without malicious intentions your software is not secure and never will be.

As soon as you are part of a network, your computer is exposed, doesn't matter if desktop/laptop, and especially for attacking Linux there is a lot of drive by attacks happening 24/7.

Your needs for firewalls mostly depend on your threat model, but just disabling accepting incoming requests is trivial and increases your security by a great margin. Further, setting a rate limit for failed connection attempts for open ports like SSH if you use this services, is another big improvement for security. (... and of course disabling password authentication, YADA YADA)

That said, obviously security has to be seen in context, the only snake oil that I know of are virus scanners, but that's another story.

People, which claim you don't need a firewall make at least one of the following wrong assumptions:

• Your software is secure - demonstrably wrong, as proven by CVEs
• You know exactly what is running/reachable on your computer - this might be correct for very small specialized embedded systems, even for them one still must always assume security relevant bugs in software/hardware/drivers

Security is a game, and no usable system can be absolutely secure. With firewalls, you can (hopefully) increase the price for successful attacks, and that is important.

bushvin , 5 months ago

You may also want to check up on regulations and laws of your country.

In Belgium, for instance, I am responsible for any and all attacks originating from my PC. If you were hacked and said hackers used your computer to stage an attack, the burden of proof is upon you. So instead of hiring very expensive people to trace the real source of an attack originating from your own PC, enabling a firewall just makes sense, besides making it harder on hackers…

Kalcifer OP , 5 months ago

That's a strange law. That's like saying one should be held responsible for a thief stealing their car and then running over someone with it (well, perhaps an argument could be made for that, but I would disagree with it).

Kalcifer OP , 5 months ago (edited 5 months ago)

Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always

In what capacity, though? I see potential issues with both server firewalls, and client firewalls. Unless one wants their devices to be offline, there will always be at least one open port (for example, inbound on a server, and outbound on a client) which can be used as an attack vector.

wolf , 5 months ago

Perhaps I don't understand your point. If I understand your point in the sense that there are also issues with firewalls and that one always has attack vectors against usable systems, I fully agree with your remark. My point is simply, as a rule of thump a firewall usually mitigates a lot of attack vectors (see my remark about LIMIT for ssh ports elsewhere). Especially for client systems having a firewall which blocks all incoming traffic by default is IMHO high payoff for almost no effort.

Kalcifer OP , 5 months ago

My point is simply, as a rule of thump a firewall usually mitigates a lot of attack vectors

The only quibble that I would have with your statement is that I would say that it's better to word it as it "mitigates a lot of potential attack vectors", but, other than that, I completely agree with what you said.

kby , 5 months ago

I personally use a firewall for containing the local services I am running on my non-server PC, ex. Tiny Tiny RSS. If I am only using Tiny Tiny RSS locally, it's just potentially dangerous to make this service visible and accessible for every client in my local network, which in my case, isn't populated by my own personal devices, as I live in a dormitory. Other than that, you can block the well-known ports of commonly exploited protocols such as UPnP. That's not because someone will "break into your device" with UPnP, but rather as a matter of digital autonomy, to control the mode of network communication done by the software on your device.

h3ndrik , 5 months ago (edited 5 months ago)

You're right. If you don't open up ports on the machines, you don't need a firewall to drop the packages to ports that are closed and will drop the packets anyways. So you just need it if your software opens ports that shouldn't be available to the internet. Or you don't trust the software to handle things correctly. Or things might change and you or your users install additional software and forget about the consequences.

However, a firewall does other things. For example forwarding traffic. Or in conjunction with fail2ban: blocking people who try to guess ssh passwords and connect to your server multiple times a second.

Edit:

1. “It’s just good security practice.” => nearly every time I've heard that people followed up with silly recommendations or were selling snake-oil.
2. “You [just] need it if you are running a server.” => I'd say it's more like the opposite. A server is much more of a controlled environment than lets say a home network with random devices and people installing random stuff.
3. “You need it if you don’t trust the other devices on the network.” => True, I could for example switch on and off your smarthome lights or disable the alarm and burgle your home. Or print 500 pages.
4. “You need it if you are not behind a NAT.” => Common fallacy, If A then B doesn't mean If B then A. Truth is, if you have a NAT, it does some of the jobs a firewall does. (Dropping incoming traffic.)
5. “You need it if you don’t trust the software running on your computer.” => True

wolf , 5 months ago

You’re right. If you don’t open up ports on the machines, you don’t need a firewall to drop the packages to ports that are closed and will drop the packets anyways.

Sorry, hard disagree.

I assume you are assuming:
1.) You know about all open ports at all times, which is usually not the case
2.) There are no bugs/errors in the network stacks or services with open ports (e.g. you assume a port is only available to localhost)
3.) That there are no timing attacks which can easily be mitigated by a firewall
4.) That software one uses does not trigger/start other services transitively which then open ports you are not even aware of w/o constant port scanning

I agree with your point, that a server is a more controlled environment. Even then, as you pointed out, you want to rate limit bad login attempts via firewall/fail2ban etc. for the simple reason, that even a fully updated ssh server might use a weak key (because of errors/bugs in software/hardware during key generation) and to prevent timing attacks etc.

In summary: IMHO it is bad advice to tell people they don't need a firewall, because it is demonstrably wrong and just confuses people like OP.

h3ndrik , 5 months ago (edited 5 months ago)

Sure, maybe I've worded things too factually and not differentiated between theory and practice. But,

1. "you know everything": I've said that. Configurations might change or you you don't pay enough attention: A firewall adds an extra layer of security. In practice people make mistakes and things are complex. In theory where everything is perfect, blocking an already closed port doesn't add anything.
2. "There are no bugs in the network stack": Same applies to the firewall. It also has a network stack and an operating system and it's connected to your private network. Depends on how crappy network stacks you're running and how the network stack of the firewall compares against that. Might even be the same as on my VPS where Linux runs a firewall and the services. So this isn't an argument alone, it depends.
3. Who migitates for timing attacks? I don't think this is included in the default setup of any of the commonly used firewalls.
4. "open ports you are not even aware of": You open ports then. And your software isn't doing what you think it does. We agree that this is a use-case for a firewall. that is what I was trying to convey with the previous argument no 5.

Regarding the summary: I don't think I want to advise people not to use a firewall. I thought this was a theoretical discussion about single arguments. And it's complicated and confusing anyways. Which firewall do you run? The default Windows firewall is a completely different thing and setup than nftables and a Linux server that closes everything and only opens ports you specifically allow. Next question: How do you configure it? And where do you even run it? On a seperate host? Do you always rent 2 VPS? Do you do only do perimeter security for your LAN network and run a single firewall? Do you additionally run firewalls on all the connected computers in the network? Does that replace the firewall in front of them? What other means of security protection did you implement? As we said a firewall won't necessarily protect against weak passwords and keys. And it might not be connected to the software that gets brute-forced and thus just forward the attack. In practice it's really complicated and it always depends on the exact context. It is good practice to not allow everything by default, but take the approach to block everything and explicitly configure exceptions like a firewall does. It's not the firewall but this concept behind it that helps.

wolf , 5 months ago

I think I get you and the 'theory vs. practice' point you make is very valid. ;-) I mean, in theory my OS has software w/o bugs, is always up-to-date and 0-days do not exist. (Might even be true in practice for a default OpenBSD installation regarding remote vulnerabilities. :-P)

Who migitates for timing attacks? I don’t think this is included in the default setup of any of the commonly used firewalls.

fail2ban absolutely mitigates a subset of timing attacks in its default setup. ;-)

LIMIT is a high level concept which can easily applied for ufw, don't know about default setups of commonly used firewalls.

If someone exposes something like SSH or anything else w/o fail2ban/LIMIT IMHO that is grossly incompetent.

You are totally right, of course firewalls have bugs/errors/miss configurations... BUT ... if you are using a Linux firewall, good chances are, that the firewall has been reviewed/attacked/pen tested more often and thoroughly than almost all other services reachable from the internet. So, if I have to choose between a potential attacker first hitting a well tested and maintained firewall software or a MySQL server, which got no love from Orcacle and lives in my distribution as an outdated package, I'll put my money on the firewall every single time. ;-)

h3ndrik , 5 months ago (edited 5 months ago)

Thank you for pointing out that my arguments don't necessarily apply to reality. Sometimes I answer questions too direct. And the question wasn't "should I use a firewall" or I would have answered with "probably yes."

I think I have to make a few slight corrections: I think we use the word "timing attack" differently. To me a timing attack is something that relies on the exact order or interval/distance packets arrive at. I was thinking of something like TOR does where it shuffles around packets, waits for a few milliseconds, merges them or maybe blows them up so they all have the same size. Brute forcing something isn't exploiting the exact time where a certain packet arrives, it's just sending many of them and the other side lets the attacker try an indefinite amount of passwords. But I wouldn't put that in the same category with timing attacks.

Firewall vs MySQL: I don't think that is a valid comparison. The firewall doesn't necessarily look into the packets and detect that someone is running a SQL injection. Both do a very different job. And if the firewall doesn't do deep-packet-inspection or rate limiting or something, it just forwards the attack to the service and it passes through anyways. And MySQL probably isn't a good example since it rarely should be exposed to the internet in the first place. I've configured MariaDB just to listen on the internal interface and not to packets from other computers. Additionally I didn't open the port in the firewall but MariaDB doesn't listen on that interface anyways. Maybe a better comparison would be a webserver with https. The firewall can't look into the packets because it's encrypted traffic. It can't tell apart an attack from a legitimate request and just forwards them to the webserver. Now it's the same with or without a firewall. Or you terminate the encrypted traffic at the firewall, do packet inspection or complicated heuristics. But that shifts the complexity (including potential security vulberabilities in complex code) from the webserver to the firewall. And it's a niche setup that also isn't well tested. And you need to predict the attacks. If your software has known vulnerabilities that won't get fixed, this is a valid approach. But you can't know future attacks.

Having a return channel from the webserver/software to the firewall so the application can report an attack and order the firewall to block the traffic is a good thing. That's what fail2ban is for. I think it should be included by default wherever possible.

I think there is no way around using well-written software if you expose it to the internet (like a webserver or a service that is used by other people.) If it doesn't need to be exposed to the internet, don't do it. Any means of assuring that are alright. For crappy software that is exposed and needs to be exposed, a firewall doesn't do much. The correct tools for that are virtualization, containers, VPNs, and replacing that software... Maybe also the firewall if it can tell apart good and bad actors by some means. But most of the time that's impossible for the firewall to tell.

I agree. You absolutely need to do something about security if you run services on the internet. I do and have ran a few services. And especially webserver-logs (especially if you have a wordpress install or some other commonly attacked CMS), SSH and Voice-over-IP servers get bombarded with automated attacks. Same for Remote-Desktop, Windows-Networkshares and IoT devices. If I disable fail2ban, the attackers ramp up the traffic and I can see attacks scroll through the logfiles all day.

I think a good approach is:

1. Choose safe passwords and keys.
2. Don't allow people to brute-force your login credentials.
3. If you don't need a service, deactivate it entirely and remove the software.
4. If you just need a service internally, don't expose it to the internet. A firewall will help, and most software I use can be configured to either listen on external requests or don't do it. Also configure your software to just listen on/to localhost (127.0.0.1). Or just the LAN that contains the other things that tie into it. Doing it at two distinct layers helps if you make mistakes or something happens by accident or complexity or security vulnerabilities arise. (Or you're not in complete control of everything and every possibility.)
5. If only some people need a service, either make it as secure as a public service or hide it behind a VPN.
6. Perimeter security isn't the answer to everything. The subject is complex and we have to look at the context. Generally it adds, though.
7. If you run a public service, do it right. Follow state of the art security practices. It's always complicated and depends on your setup and your attackers. There are entire books written about it, people dedicate their whole career to it. For every specific piece of software and combination, there are best practices and specific methods to follow and implement. Lots of things aren't obvious.
8. Do updates and backups.

Kalcifer OP , 5 months ago

True, I could for example switch on and off your smarthome lights or disable the alarm and burgle your home. Or print 500 pages.

How would the firewall on one device prevent other devices from abusing the rest of the network? Perhaps you misunderstood the original intent of my post. I certainly wouldn't blame you if that is the case, though -- when I made my post I was far too vague in my intent -- perhaps I simply didn't think through my question enough, but the more likely answer is that I simply wasn't knowledgeable enough on the topic to accurately pose the question that I wanted to ask.

Common fallacy, If A then B doesn’t mean If B then A. Truth is, if you have a NAT, it does some of the jobs a firewall does. (Dropping incoming traffic.)

Fair point!

“You need it if you don’t trust the software running on your computer.” => True

For this, though, the only solution to it would be an application layer firewall like OpenSnitch, correct?

h3ndrik , 5 months ago (edited 5 months ago)

How would the firewall on one device prevent other devices from abusing the rest of the network?

Sure. I'm not exactly sure any more what I was trying to convey. I think I was going for the firewall as a means if perimeter security. Usually devices are just configured to allow access to devices from the same Local Access Network. This is the case for lots of consumer electronics (and some enterprises also rely on securing the perimeter, once you get in their internal network, you can exploit that.) My printer lets everyone print and scan, no password setup required while installing the drivers. The wifi smart plugs I use to turn on and off the mood light in the livingroom also per default accept everyone in the WiFi. And lots of security cameras also have no password on them or people don't change the default since they're the only ones able to connect to the home WiFi. This works, since usually there is a Wifi router that connects to the internet and also does NAT, which I'd argue is the same concept as a firewall that discards incoming connections. And while wifi protocols have/had vulnerabilities, it's fairly uncommon that people go wardriving or close to your house to crack the wifi password. However, since you mentioned mixing devices you trust and devices you don't trust... That can have bad consequences in a network setup like this. You either do it properly, or you need some other means to secure your stuff. That may be isolating the cheap chinese consumer electronic with god knows which bugs and spying tech from the rest of the network. And/or shielding the devices you can't set up a password on.

the only solution to it would be an application layer firewall like OpenSnitch, correct?

I don't think you can make an absolute statement in this case. It depends on the scenario, as it always does with security. If you have broken web software with known and unpatched vulnerabilities, a Web Application Firewall might filter out malicious requests. An Application Firewall if other software is susceptible to attacks or might become the attacker itself (I'm not entirely sure what they do.) But you might also be able to use a conventional firewall (or a VPN) to restrict access to that software to trusted users only. For example drop all packets if it's not you interacting with that piece of software. And you can also combine several measures.

Kalcifer OP , 5 months ago

I think I was going for the firewall as a means if perimeter security.

Are you referring to the firewall on the router?

it’s fairly uncommon that people go wardriving

Interesting. I hadn't heard of this.

That may be isolating the cheap chinese consumer electronic with god knows which bugs and spying tech from the rest of the network.

As in blocking or restricting their communication with the rest of the lan in the router's firewall, for example? Or, perhaps, putting them behind their own dedicated firewall (this is probably superfluous to the firewall in the router though).

But you might also be able to use a conventional firewall (or a VPN) to restrict access to that software to trusted users only

For clarity's sake, would you be able to provide an example of how this could be implemented? It's not immediately clear to me exactly what you are referring to when combining "user" with network related topics.

h3ndrik , 4 months ago (edited 4 months ago)

Are you referring to the firewall on the router?

Yes. At home this will run on your (wifi) router. But the standard rules on that are pretty simple: Discard everything incoming, allow everything outgoing. Companies might have a dedicated machine, something like a pfSense in a server rack at each of their subsidiaries and draw a perimeter line around what they deem fit, the office building, a department, or separate the whole company's internal network from the internet. (Or a combination of those.) You just have one point at home where two network segments interconnect: your router.

I think it is important to distinguish between this kind of firewall and something that runs on a desktop computer. I'd call that a personal firewall or desktop firewall. It does different things: like detect what kind of network you're connected to. Enable access when you're at your workplace but inhibit the Windows network share when you're at the airport wifi. It adds a bit of protection to the software running on the computer, and can also filter packets from the LAN. And it's often configured to be easygoing in order not to get in the way of the user. But it is not an independent entity, since it runs on the same machine that it is protecting. If that computer gets compromised for example, so is the personal firewall. A dedicated firewall however runs on a dedicated and secure machine, one where there is no user software installed that could interfere with it. And at a different location, it filters traffic between network segments, so it might be physically at some network interconnect. There are lots of different ways to do it, and people apply things in different ways. Such a firewall might not be able to entirely protect you or stop malicious activity spread within the attached network at all. And of course you need the correct policy and type in the rules that allow people at the company to be able to work, but inhibit everything else. Perfection is more a theoretical concept here and nothing that can be achieved in reality.

[isolating the cheap chinese consumer electronics] As in blocking or restricting their communication with the rest of the lan in the router’s firewall, for example?

Yes, you'd need to separate them from the rest of the network so your router gets in-between of them. Lots of wifi routers can open an additional guest network, or do several independent WiFis. For cables there is VLAN. For example: You configure 4 independent networks, get your computers on one network, your IoT devices on another network, your TV and NAS storage on a third and your guests and visitors on yet another. You tell your router the IoT devices can't be messed with by guests and they can only connect to their respective update servers on the internet and your smarthome. Your guests can only connect to the internet but not to your other devices or each other. The TV is blocked from sending your behavior tracking data to arbitrary companies, it can only access your NAS and update servers. The devices you trust go on the network that is easygoing with the restrictions. You can make it arbitrarily complex or easy. This would be configured with the firewall of the router.

But an approach like this isn't perfect by any means. The IoT devices can still mess with each other. Everything is a hassle to set up. And the WiFi is a single point of failure. If there are any security vulnerabilities in the WiFi stack of the router, attackers are probably just as likely to get into the guest wifi as they'd get into your secured wifi. And then the whole setup and separating things was an exercise in futility.

would you be able to provide an example of how this [use a conventional firewall (or a VPN) to restrict access to that software to trusted users only] could be implemented? It’s not immediately clear to me exactly what you are referring to when combining “user” with network related topics.

I mean something like: You have a network drive that you use to upload your vacation pictures to in case your camera/phone gets stolen. You can now immediately block everyone from all countries except from France, since you're traveling there. This would be kind of a crude example but alike what we sometimes do with our credit cards. You can also set up a VPN that connects specifically you to your home-network or services. Your Nextcloud server can't be reached or hacked from the internet, unless you also have the VPN credentials to connect to it in the first place. You obviously need some means of mapping the concept 'user' to something that is distinguishable from a network perspective. If you know in advance what IP addresses you're going to use to connect, this is easy. If you don't, you have to use something like a VPN to accomplish that, make just your phone be able to dial in to your home network. (Or compromise, like in the France example.)

Kalcifer OP , 4 months ago

Enable access when you’re at your workplace but inhibit the Windows network share when you’re at the airport wifi.

How would something like this be normally accomplished? I know that Firewalld has the ability to select a zone based on the connection, but, if I understand correctly, I think this is decided by the Firewalld daemon, rather than the packet filtering firewall itself (e.g. nftables). I don't think an application layer firewall would be able to differentiate networks, so I don't think something like OpenSnitch would be able to control this, for example.

But an approach like this isn’t perfect by any means. The IoT devices can still mess with each other. Everything is a hassle to set up. And the WiFi is a single point of failure.

What would be a better alternative that you would suggest?

You can also set up a VPN that connects specifically you to your home-network or services. Your Nextcloud server can’t be reached or hacked from the internet, unless you also have the VPN credentials to connect to it in the first place.

The unfortunate thing about this -- and I have encountered this personally -- is that some networks may block VPN related traffic. You can take measures to attempt to obfuscate the VPN traffic from the network, but it is still a potential headache that could lock you out of using your service.

h3ndrik , 4 months ago (edited 4 months ago)

I think this is decided by the Firewalld daemon, rather than the packet filtering firewall itself

Mmh, I probably was way to vague with that. This is done by something like FirewallD or whatever Windows or MacOS uses for this. AFAIK it then uses packet filtering to accomplish the task. Seems FirewallD includes the packet filtering too and not tie into nftables and transfer the filtering task to that. I don't think OpenSnitch does things like that. I'm really not an expert on firewalls. I could be wrong. If you read the Wikipedia article (which isn't that good) you'll see there are at least 3 main types of firewall, probably more sub-types and a plethora of different implementations. Some software does more than one of the things. And everything kinda overlaps. Depending on the use-case you might need more than just one concept like packet-filtering. Or connect different software, for example detect which network was connected to and re-configure the packet filter. Or like fail2ban: read the logfiles with one piece of software and hand the results to the packet filter firewall and ban the hackers.

I don't really know how the network connection detection is accomplished and manages the firewall. Either something pops up and I click on it, or it doesn't. My laptop has just 3 ports open, ssh, ipp (printing) and mdns. I haven't felt the need to address that and care about a firewall on that machine. But I've made mistakes. I had MDNS or Bonjour or whatever automatically shows who is on the network and which services they offer activated and it showed some of the Apple devices at work and I didn't intend to show up in anyone's chat with my laptop or anything. And at one point I forgot to deactivate a webserver on my laptop. I had used that to design a website and then forgotten about. Everyone in the local networks I've connected to in that time could have accessed that and depending on where I was that could have made me mildly embarassed. But no-one did and I eventually deleted the webserver. I think I've been living alright without caring about a firewall on my private laptop. I could have prevented that hypothetical scenario by using a firewall that detects where I'm at, but far more embarassing stuff happens to other people. Like people changing their name and then Airdropping silly stuff to people who are just holding a lecture, or Skype popping up while their screen is mirrored to the beamer infront of a large audience. But that has nothing to do with firewalls. Also, in the old days every Windows and network share was displayed on the whole network anyways. Nothing ever happened to me. And while I think that is not a good argument at all, I feel protected enough by using the free software I do and roughly knowing how to use a computer. I don't see a need to install a firewall just to feel better. Maybe that changes once my laptop is cluttered and I lose track of what software opens new ports.

On my server I use nftables. Drop everything and specifically allow the ports that I want to be open. In case I forget about an experiment or configure something entirely wrong (which also has happened) it adds a layer of protection there. I handle things differently because the server is directly connected to the internet and targeted, and my laptop is behind some router or firewall all the time. Additionally, I configured fail2ban and configured every service so it isn't susceptible to brute-forcing the passwords. I'm currently learning about Web Application Firewalls. Maybe I'll put ModSecurity in-front of my Nextcloud. But it should be alright on it's own, I keep it updated and followed best practices when setting it up.

[IoT devices] What would be a better alternative that you would suggest?

I really don't have a good answer to that. Separating your various assortment of IoT devices from the rest of the network is probably a good idea. I personally would stop at that. I wouldn't install cameras inside of my house and not buy an Alexa. I have a few smart lightbulbs and 2 thermostats, they communicate via Zigbee (and not Wifi), so that's my separate network. And I indeed have a few Wifi IoT devices, a few plugs and an LED-strip. I took care to buy ones where I could hack the firmware and flash Tasmota or Esphome on them. So they run free software now and don't connect to some manufacturers cloud. And I can keep them updated and hopefully without security vulnerabilities indefinitely, despite them originally being really cheap no-name stuff from china.

You can also set up a guest Wifi (for your guests) if you want to. I recently did, but didn't bother to do it for many years. I feel I can trust my guests, we're old enough now and outgrew the time when it was funny to mess with other people's stuff, set an alarm to 3am or change the language to arabic. And all they can do is use my printer anyways. So I usually just give my wifi password to anyone who asks.

However, what I do might not be good advice for other people. I know people who don't like to give their wifi credentials to anyone, since it could be used to do illegal stuff over the internet connection. That would backfire on who owns the internet connection and they'd face the legal troubles. That will also happen if it's a guest wifi. I'm personally not a friend of that kind of legislation. If somebody uses my tools to commit a crime, I don't think I should be held responsible for that. So I don't participate in that fearmongering and just share my tools and internet connection anyways.

(And you don't absolutely need to put in all of that effort at home. Companies need to do it, since sending all the employers home and then paying 6 figures to another company to analyze the attack and restore the data is very expensive. At home you're somewhat unlikely to get targeted directly. You'll just be probed by all the stuff that scans for vulnerable and old IoT devices, open RDP connections, SSH, insecure webservers and badly configured telephony boxes. Your home wifi router will do the bare minimum and the NAT on it will filter that out for you. Do Backups, though.)

some networks may block VPN related traffic

That's a bummer. There is not much you can do except obfuscate your traffic. Use something that runs on port 443 and looks like https (i think that'd be a TCP connection) or some other means of obfuscating the traffic. I think there are several approaches available.

Kalcifer OP , 4 months ago

for example detect which network was connected to and re-configure the packet filter.

Firewalld is capable of this -- it can switch zones depending on the current connection.

And while I think that is not a good argument at all, I feel protected enough by using the free software I do and roughly knowing how to use a computer. I don’t see a need to install a firewall just to feel better. Maybe that changes once my laptop is cluttered and I lose track of what software opens new ports.

There does still exist the risk of a vulnerability being pushed to whatever software that you use -- this vulnerability would be essentially out of your control. This vulnerability could be used as a potential attack vector if all ports are available.

I’m currently learning about Web Application Firewalls. Maybe I’ll put ModSecurity in-front of my Nextcloud.

Interesting! I haven't heard of this. Side note, out of curiosity, how did you go about installing your Nextcloud instance? Manual install? AIO? Snap?

I’m personally not a friend of that kind of legislation. If somebody uses my tools to commit a crime, I don’t think I should be held responsible for that.

It would be a rather difficult thing to prove -- one could certainly just make the argument that you did, in that someone else that was on the guest network did something illegal. I would argue that it is most likely difficult to prove otherwise.

h3ndrik , 4 months ago (edited 4 months ago)

There does still exist the risk of a vulnerability being pushed to whatever software that you use – this vulnerability would be essentially out of your control. This vulnerability could be used as a potential attack vector if all ports are available.

But this is a really difficult thing to protect from. If someone gets to push code on my computer that gets executed, I'm entirely out of luck. It could do anything that that process is allowed to do, send data, mess with my files and databases or delete stuff. I'm far more worried about the latter. Sandboxing and containerization are ways to mitigate for this. And it's the reason why I like Linux distributions like Debian. There's always the maintainers and other people who use the same software packages. If somebody should choose to inject malicious code into their software, or it gets bought and the new company adds trackers to it, it first has to pass the (Debian) maintainers. They'll probably notice once they prepare the update (for Debian). And it gets rolled out to other people, too. They'll probably notice and file a bugreport. And I'm going to read it in the news, since it's something that rarely happens at all on Linux.

On the other hand it could happen not deliberately but just be vulnerable software. That happens and can be exploited and is exploited in the real world. I'm also forced to rely on other people to fix that before something happens to me. Again sandboxing and containerization help to contain it. And keeping everything updated is the proper answer to that.

What I've seen in the real world is a CMS being compromised. Joomla had lots of bugs and Wordpress, too. If people install lots of plugins and then also don't update the CMS, let it rot and don't maintain the server at all, after like 2 years(?) it can get compromised. The people who constantly probe all the internet servers will at some point find it and inject something like a rootkit and use the server to send spam, or upload viruses or phishing sites to it. You can pay Cloudflare $200 a month and hope they protect you from that, or use a Web Application Firewall and keep that up-to-date yourself, or just keep the software itself up-to-date. If you operate some online-services and there is some rivalry going on, it's bound to happen faster. People might target your server and specifically scan that for vulnerabilities way earlier than the drive-by attacks get a hold of it. Ultimately there is no way around keeping a server maintained.

how did you go about installing your Nextcloud instance?

I have two: YunoHost powers my NAS at home. It contains all the big files and important vacation pictures etc. YunoHost is an AIO solution(?), an operating system based on Debian that aims at making hosting and administration simple and easy. And it is. You don't have to worry too much to learn how to do all of the stuff correctly, since they do it for you. I've looked at the webserver config and so on and they seem to follow best practices, disallow old https ciphers, activate HSTS and all the stuff that makes cross site scripting and such attacks hard to impossible. And I pay for a small VPS. I used docker-compose and Docker on it. Read all the instructions and configured the reverse proxy myself. I also do some experimentation there in other Docker containers, try new software... But I don't really like to maintain all that stuff. Nextcloud and Traefik seem somewhat stable. But I have to regularly fiddle with some of the other docker-compose files of other projects that change after a major update. I'm currently looking for a solution to make that easier and planning to rework that server. And then also run Lemmy, Matrix chat and a microblogging platform on it.

It would be a rather difficult thing to prove

And it depends on where you live and the legislation there. If someone downloads some Harry Potter movies or uses your Wifi to send bomb threats to their school... They'll log the IP and then contact the ISP and the Internet Service Provider is forced to tell them your name. You'll get a letter or a visit from police. If they proceed and sue you, you'll have to pay a lawyer to defend yourself and it's a hassle. I think I'd call it coercion, but even if you're in the right, they can temporarily make your life a misery. In Germany, we have the concept of "Störerhaftung" on top. Even if you're not the offender yourself, being part of a crime willingly (or causally adequate(?))... You're considered a "disruptor" and can be held responsible, especially to stop that "disruption". I think it was meant get to people who technically don't commit crimes themselves, they just deliberately enable other people to do it. For some time it got applied to WiFi here. The constitutional court had to rule and now I think it doesn't really apply to that anymore. It's complicated... I can't sum it up in a few sentences. Nowadays they just send you letters, threatening to sue you and wanting a hundred euros for the lawyer who wrote the letter. They'll say your argument is a defensive lie and you did it. Or you need to tell them exactly who did it and rat out on your friends/partner/kids or whoever did it. Of course that's not how it works in the end but they'll try to pressure people and I can imagine it is not an enjoyable situation to be in. I've never experienced it myself, I don't download copyrighted stuff from the obvious platforms that are bound to get you in trouble and neither does anyone else in my close group of friends and family.

Kalcifer OP , 4 months ago

But this is a really difficult thing to protect from. If someone gets to push code on my computer that gets executed, I’m entirely out of luck. It could [...] send data [...].

Not necessarily. An application layer firewall, for example, could certainly get in the way of it trying to send data extenally.

On the other hand it could happen not deliberately but just be vulnerable software.

Are you referring to a service leaving a port open that can be connected to from the network?

And then also run Lemmy, Matrix chat and a microblogging platform on it.

I'm defintely curious about the outcome of this -- Matrix especially. Perhaps the new/alternative servers function a bit better now, but I've heard that, for synapse at least, Matrix can be very demanding on hardware to run (from what I've heard, the issues mostly arise when one joins a larger server).

You’re considered a “disruptor” and can be held responsible, especially to stop that “disruption”.

Interesting. Do you mean "held responsible" to simply stop the disruption, or "held responsible" for the actions of/damaged caused by the disruption?

h3ndrik , 4 months ago

I think an Application Layer Firewall usually struggles to do more than the utmost basics. If for example my Firefox were to be compromised and started not only talking to Firefox Sync to send the history to my phone, but also send my behavior and all the passwords I type in to a third party... How would the firewall know? It's just random outgoing encrypted traffic from its perspective. And I open lots of outbound connections to all kinds of random servers with my Firefox. Same applies to other software. I think such firewalls only protect you once you run a new executable and you know it has no business sending data. If software you actually use were susceptible to attack, the firewall would need to ask you after each and every update of Firefox if it's still okay and you'd really need to verify the state of your software. If you just click on 'Allow' there is no added benefit. It could protect you from connecting to a list of known malicious addresses and from people smuggling new and dedicated malware to your computer.

I don't want to say doing the basics is wrong or anything. If I were to use Windows and lots of different software I'd probably think about using an Application Level Firewall. But I don't see a real benefit for my situation... However I'd like Linux to do some more sandboxing and asking for permissions on the desktop. Even if it can't protect you from everything and may not be a big leap for people who just click 'Accept' for everything, it might be a good direction and encourage more fine-granularity in the permissions and ways software ties together and interacts.

it could [...] just be vulnerable software

I mean your webserver or CMS or your browser has a vulnerability and that gets exploited and you get hacked. The webserver has open ports anyways in order to be able to work at all. The CMS is allowed to process requests and the browser allowed to talk to websites. A maliciously crafted request or answer to your software can trigger it to fail and do something that it shouldn't do.

[...] Matrix

Sure, I have a Synapse Matrix server running on my YunoHost. It works fine for me. I'm going to install Dendrite or the other newer one next. I'm not complaining if I can cut down memory consumption and load to the minimum.

Do you mean “held responsible” to simply stop the disruption, or “held responsible” for the actions of/damaged caused by the disruption?

Yeah, the issue was that it meant both. You were part of the crime, you were involved in the causality and linked to the damages somehow. Obviously not to the full extend, since you didn't do it yourself, but more than 'don't allow it to happen again'. Obviously that has consequences. And I think now it's not that any more when it comes to wifi. I think now it's just the first, plus they can ask for a fixed amount of money since by your negliect, you caused their lawyer to put in some effort.

Kalcifer OP , 4 months ago

If for example my Firefox were to be compromised and started not only talking to Firefox Sync to send the history to my phone, but also send my behavior and all the passwords I type in to a third party… How would the firewall know?

If it's going to some undesirable domain, or IP, then you can block the request for that application. The exact capabilities of the application layer firewall certainly depend on the exact application layer firewall in question, but this is, at least, possible with OpenSnitch.

It’s just random outgoing encrypted traffic from its perspective.

For the actual content of the traffic, is this not the case with essentially all firewalls? They can't see the content of te traffic if it is using TLS. You would need to somehow intercept the packet before it is encrypted on the device. I'm not aware of any firewall that has such a capability.

If you just click on ‘Allow’ there is no added benefit.

The exact level of fine-grain control heavily depends on the application layer firewall in question.

A maliciously crafted request or answer to your software can trigger it to fail and do something that it shouldn’t do.

Interesting.

I think now it’s just the first, plus they can ask for a fixed amount of money since by your negliect, you caused their lawyer to put in some effort.

I do, perhaps, somewhat understand this argument, but it still feels quite ridiculous to me.

h3ndrik , 4 months ago (edited 4 months ago)

I think OpenSnitch can do it roughly 2 different ways. Either you use an allow-list. That's pretty secure. But it'll severely interfere with how you're used to browse the internet. You're gonna allow Wikipedia and your favorite news sources, but you won't be browsing Lemmy and just randomly clicking on articles and blogs since you have to specifically allow them in the firewall first. Or you're using a deny-list. That's something like what Chrome does, have a list of well-known malicious sites and it'll ask you 'Do you really want to visit that site? It spreads malware.' It'll add tremendously to security. But won't protect you entirely. Hackers frequently break into webservers to spread malware from new servers. Ones that aren't yet in the list of bad IPs. It'll work for some time until the application firewall and the Chrome browser catches up and they'll move on to a different server. You should definitely think about that and prevent being the millionths victim, however.

I think we're talking about vastly different concepts here. Desktop computers and servers, consumers and enterprises are threatened in vastly different ways. And thus they need different solutions that handle the different threats. On a desktop computer the main way of compromising it is getting people to click on something. Or do whatever an official-looking e-mail instructs them to do. On a server that is meaningless. There isn't that much random applications someone clicks on without thinking it through. There is no e-mail client on the server. But on the other side you're serving random people from all over the world. Your connections are different, too. And if someone wants to upload their malware somewhere or send spam... They're going to go for a server and not a desktop computer.

About the "Störerhaftung": I think so, too. It's been ridiculous and in the end the courts also ruled it's against the law. The 100€ is also not something you have to pay. They want it and it's just a way to settle out of court. If you pay them, they'll promise to forget about this one time and not care about who did it. I think these kind of settlement exist all around the world and it's not illegal. And the copyright has to find some means of pressuring people, even if it's a bit shady, since such copyright offenses aren't a major crime and courts are often times bothered with more important stuff.

conorab , 5 months ago

Other comments have hit this, but one reason is simply to be an extra layer. You won’t always know what software is listening for connections. There are obvious ones like web servers, but less obvious ones like Skype. By rejecting all incoming traffic by default and only allowing things explicitly, you avoid the scenario where you leave something listening by accident.

Paragone , 5 months ago

A couple of decades ago, iirc, SANS.org ( IF I'm remembering who it was who did it ) put a fresh-install of MS-Windows on a machine, & connected it to the internet.

It took SEVERAL MINUTES for it to be broken-into, & corrupted, botnetted.

The auto-attacks by botnets are continuous: hitting different ports, trying to break-in, automatically.

I've had linux desktops pwned from me.

the internet should be considered something like a mix of toxic & corrosive chemicals: "maybe" your hand will be fine, if you dip it in for a moment & immediately rinse it off ( for 3 hours ), but if you leave you limbs dwelling in the virulent slop, Bad Things(tm) are going to happen, sooner-or-later.

---

I used to de-infest Windows machines for my neighbours...

haven't done it in years: they'll not pay-for good anti-virus, they'll not resist installing malware: therefore there is no point.

Let 'em rot.

I've got a life to work-on uncrippling, & too-little strength/time left.

---

"but I don't need antivirus: i never get infected!!"

then how come I needed to de-infest it for you??

"but I don't need an immune-system: pathogens are a hoax!!"

get AIDS, then, & don't use anti-AIDS drugs, & see how "healthy" you are, 2 years in.

Same argument, different context-mapping.

---

Tarpit was a wonderful-looking invention, for Linux's netfilter/iptables, years ago: don't help botnets scan quickly & efficiently to help them find a way to break-in...

---

Anyways, just random thoughts from an old geek...

---

EDIT: "when do I need to wear a seatbelt?"

is essentially the same category of question.

_ /\ _

Kalcifer OP , 5 months ago

put a fresh-install of MS-Windows on a machine, & connected it to the internet.

What version of Windows? Connected how? Through a NAT, or was it through a DMZ connection, or netiher? Was Windows' firewall enabled?

It took SEVERAL MINUTES for it to be broken-into, & corrupted, botnetted.

This is highly dependent on the setup, ofc. I can't really comment without more knowledge of the experiment.

haven’t done it in years: they’ll not pay-for good anti-virus

Idk, nowadays, 3rd party anti-virus software on Windows doesn't have too much user -- Windows Defender is pretty dang good. If anything, a lot of them are borderline scams, or worse.

get AIDS, then, & don’t use anti-AIDS drugs, & see how “healthy” you are, 2 years in.

You don't catch AIDS. HIV is the virus which causes AIDS to develop over time, if untreated. I'm not sure what you mean by anti-AIDS drugs. You could potentially be referring to anti-retroviral medication, or other related medication used to treat HIV, but, again that's treating HIV to prevent the development of AIDS. You could also be referring to PrEP, but, once again, that is for protection against contracting the virus, not the collection of symptoms from a chronic HIV infection which is referred to as AIDS.

Tarpit was a wonderful-looking invention

This is interesting, I hadn't heard of this!

Linux’s netfilter/iptables

Just a side note: iptables is deprecated -- it has been succeeded by nftables.

EDIT: “when do I need to wear a seatbelt?”

is essentially the same category of question.

Fair point!

utopiah , 5 months ago

When you expose ports to the Internet. It's honestly interesting to setup a Web server with the default page on it and see how quickly you get hits on it. You don't need to register a DNS or be part of an index anywhere. If you open a port (and your router does forward it) then you WILL get scanned for vulnerabilities. It's like going naked in the forest, you sure can do that but clothes help, even if it's "just" again ivy or random critters. Now obviously the LONGER you run naked or leave a computer exposed, the most likely you are to get a bad bug.

Feathercrown , 5 months ago

Can confirm. As an example, I'm developing a game server that runs a raw socket connection over the Telnet port. Within 10 minutes of opening the port, I reliably get requests trying to use Telnet to enable command mode or login as admin. People are constantly scanning.

mvirts , 5 months ago

Ya. And sometimes hosting companies run active scans on customer machines. I get a crazy number of login attempts over ssh. I ❤️ fail2ban

Kalcifer OP , 5 months ago

For this specific argument, what difference does it make if that specific device has a firewall in addition to the NAT that it is behind? To expose the device to the internet, a port needs to be openend on the router which points to a specific port on the device. When a request is made to that port, only that port is accessed. Some third party can't start poking around at other ports on the device, as there is no route from the router.

utopiah , 5 months ago

True but there are also DMZ options that allow to expose an entire machine. I imagine someone who is not familiar with networking or firewalls might "give up" and use that "solution" if they don't manage to expose just the right port on just the right machine. I'm sure I did that at some point when I was tired of tinkering.

Also if the single port that is exposed has vulnerabilities, then scanning the other ports might not be necessary. If the vulnerability on the opened port allow some kind of access, even without escalating privilege (i.e no root access) maybe localhost queries could be made and from there maybe escalating on another service that wouldn't be exposed.

Finally on your initial question I'd argue if the firewall rules are equivalent then it would be equivalent but if they are a bit more refined than "just" open or close a port, e.g drop traffic that is not from within the LAN, so a specific subnet, then it might still create risk.

Kalcifer OP , 5 months ago

Also if the single port that is exposed has vulnerabilities, then scanning the other ports might not be necessary. If the vulnerability on the opened port allow some kind of access, even without escalating privilege (i.e no root access) maybe localhost queries could be made and from there maybe escalating on another service that wouldn’t be exposed.

For sure, but this is a separate topic. The existence of a firewall is kind of independent of the security of the service listening on the port that it's expected to listen on. If there is a vulnerability in the service, the existence of a packet filtering firewall most likely won't be able to do anything to thwart it.

Finally on your initial question I’d argue if the firewall rules are equivalent then it would be equivalent but if they are a bit more refined than “just” open or close a port, e.g drop traffic that is not from within the LAN

Fair point! Still, though, I'm not super convinced of the efficacy of a packet filtering firewall running on a device in preventing malicious connections from itself, were a service running on it to become compromised. The only way that I can see it guaranteeing protection from this scenario is if it drops all packets, but, at that point, it's just an offline system -- no networking -- so the issue essentially no longer applies.