Kalcifer

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

What is "JFC"? I'm not familiar with this acronym.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

Additionally you should not port forward

In what context? There is nothing inherently insecure about port forwarding. If you want a service accessible outside of your local network, you generally need to port forward. The security mostly depends on the service that is bound to the forwarded port.

especially not port 80

Why? If you want to run a webserver without specifying a port in the URL all the time, you are going to forward port 80; port 80 is a standardized port for all HTTP connections.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

because you WILL break your SSH connection doing this

Haha, yeah, I've certainly inadvertently done this when I was first learning about how firewalls worked on Linux.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

Would you mind defining what you mean by "attacked"?

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

Out of curiosity, why do you claim that? I know very little about TempleOS's functionality -- I'm essentially only aware of it's existence and some of it's history.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

I’m saying unless you read the code you’re running, including the firmware and the kernel, how can you trust there isn’t a remote execution exploit?

A packet filtering firewall isn't able to protect against server, or protocol exploits directly. Sure, if you know that connections originating from a specific IP are malicious, then you can drop connections originating from that IP, but it will not be able to direclty protect against application layer exploits.

There do exist application layer firewalls (an example of which was pointed out to me here (opensnitch)), but those are out of the scope of this post.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

For this specific argument, what difference does it make if that specific device has a firewall in addition to the NAT that it is behind? To expose the device to the internet, a port needs to be openend on the router which points to a specific port on the device. When a request is made to that port, only that port is accessed. Some third party can't start poking around at other ports on the device, as there is no route from the router.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

If you a home user with your computer or laptop inside a LAN you would not really need a firewall, unless you start to use applications which expose its ports to 0.0.0.0 rather than 127.0.0.1

Interestingly, on one of my devices, running # ss -utpnl shows quite a number of Spotify, and Steam sockets listening on 0.0.0.0. I looked up some of the ports, and, for example, one of the steam ones was a socket for Remote Play.

But there is a choice now : opensnitch

This is really cool! Thank you so much for this recommendation! This pretty much solves what was bugging me about outgoing connections in a layer 3/4 firewall like nftables.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

Heartbleed could steal your passwords even if you ran ostensibly trustworthy software.

Heartbleed is independent of a firewall though -- it's a protocol vulnerability that was patched into a specific library -- this feels somewhat like a strawman argument.

So unless you harden the software and prove it’s completely exploit-free, then you can’t trust it.

The type of "firewall" that I am referring to operates at layer 3/4. From what I understand, you seem to be describing exploits closer to the application layer.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

Do you have any supporting arguments/rationale for that claim?

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

Once a port is bound to a process, it’s taken. Malware can’t just latch on without hijacking the program that already has it bound.

Is this because the kernel assigns that port to that specific process, so that all traffic at that port is associated with only that process? For example, if you have an SSH server listening on 22, and another malicious porgram decides to start listening on 22, all traffic sent to 22 will only be sent to the SSH server, and not the malicious program?

EDIT (2024-01-31T01:20Z): While writing this, I came across this stackoverflow answer, which states that when a socket is created it calls some bind() function that attaches it to a port. This makes me wonder how difficult it would be for malware to steal the bound port.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

With more advanced firewall’ you can even make sure only certain app’s have access to the internet to make sure only what you absolutely need toconnect to the internet does.

This sounds very interesting. This would have to be some forme of additional layer 7 firewall, right (As in it would have to interract with system processes, rather than filtering by network packet at layers 3, and 4)? Does this type of firewall have a specific name, or do you perhaps have some examples? I don't think it would be possible with something like nftables, but I could certainly be wrong.

Kalcifer , 5 months ago to science in I wasn't worried about climate change. Now I am.

Agreed, 15 minute videos with two minutes of info in them are an absolute scourge on Lemmy

Are you stating that generally, or in reference to Sabine's video that OP linked? If it is the latter, I would question if you even watched her video.

Kalcifer OP , 5 months ago to Linux in Is it possible to delete the default zones in Firewalld, and if not, why?

Maybe you should take it up with the maintainers.

See the linked GitHub issue.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?

This is a fair point that I hadn't considered for the mobile use-case.

Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?

Fair point!

note that you likely do have applications listening on ports you didn't know about. Take a look at sudo ss -utpnl.

Interesting! In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?

It's rather the other way around; you don't want the outside world to be able to talk to untrusted software on your computer. To be a classical "door", the application must be able to listen to connections.

OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.

It could also be malicious software that simply makes a request to a remote server -- perhaps even siphoning your local data.

If it turned out your window could easily be opened from the outside, you'd rather have razor fence in front until you can replace the window, would you?

Fair point!