I’ve spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:
- “It’s just good security practice.”
- “You need it if you are running a server.”
- “You need it if you don’t trust the other devices on the network.”
- “You need it if you are not behind a NAT.”
- “You need it if you don’t trust the software running on your computer.”
The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you’re doing it – it is essentially a non-answer. #2 is strange – why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access. #4 feels like an extension of #3 – only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.
If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?
It seems that the consensus from all the comments is that you do in fact need a firewall. So my question is how does that look exactly? A hardware firewall device directly between modem and router? I using the software firewall on the router enough? Or, additionally having software firewall installed on all capable devices on the network? A combination of the above?
Depends on the setup. For most people at home their router also does firewalling and NAT, and that is enough.
Even in corporate it is not uncommon for a firewall to be the gateway, or transparent in between, with maybe more internally too. There are just more routers inside and out, but those routers are real network routers in the traditional sense.
My setup is pretty basic, only thing I have is a media server accessed locally, and a pi running pihole and pivpn that has a port forwarded on my router for remote access. The pi has password login disabled, and the port forward is set to the static IP set for the pi with my router. The router has the firewall set, but nothing on any other machine. Do I need more?
What service do you have forwarded? Do you have any devices on your lan you don’t 100% trust?
I have a similar set up only forwarding a wire guard vpn port. I live alone and fully trust every device on my LAN, so I let my router take care of the firewall and dont have any firewalls on the devices on my lan.
Some will still argue this is bad practice but I really have no desire to toggle firewall rules every time I want to expose a port while I’m developing/testing software. If someone cracks wireguard then I don’t think they will risk exposing the industry halting 0 day to run a crypto miner on my raspberry pi.
IOT and friends get the guest wifi.
This is the only thing forwarded. As for devices the worst offender would be my Roku TV but I’m not sure how much of a security threat that actually would be. More of a privacy threat, hence running pihole.
It is important to note that being unaware of something’s level of security is not an argument that it is more secure, or not worthy of scrutiny.
Any way you could put the roku on guest wifi or does pihole let you block all outgoing traffic? Something like that would make me a little hesitant. My lan has my graphene os device, 3 computers running debian, and an iot smart switch I flashed myself.
Like you said, more of a privacy concern than anything.
It is important to note (as was pointed out by others in this thread) that one must also consider threats emanating from within the LAN, as well: Do you have guests that you allow onto your network with potentially un-vetted devices? Do you have other network-capable devices connected to your network that you cannot guarantee their security? Can you guarantee that there are no unintended services with potential security vulnerabilities listening to ports on your device? If so, it is worth considering, at the very least, a packet filtering firewall, e.g. nftables, and if you cant trust the services running on your device, perhaps also an application layer firewall like OpenSnitch.
I use the firewall built into Proxmox with a device running openwrt
Depends on your setup. I got a network-level firewall+router setup between my modem and my LAN. But also, got
firewalld
(friendly wrapper on iptables) on every Linux device I care about because I don’t want to unintentionally expose something to the network.hm, guess maybe I should find something for Android and my Windows boxes.
iptables is deprecated, so it’s better to label it as a wrapper for nftables.
And like most things related to Linux on the internet, the consensus is generally incorrect. For a typical home user who isn’t opening ports or taking a development laptop to places with unsecure wifi networks, you don’t really need a firewall. It’s completely superflous. Anything you do to your PC that causes you genuine discomfort will more than likely be your own fault rather than an explicit vulnerability. And if you’re opening ports on your home network to do self-hosting, you’re already inviting trouble and a firewall is, in that scenario, a bandaid on a sucking chest wound you self-inflicted.
A “typical” home user, whom I assume is less knowledgeable about technology, is probably the person who would benefit the most from strict firewalls installed on their device. Such an individual assumedly doesn’t have the prerequisite knowledge, or awareness required to adequately gauge the threats on their network.
Would this not be adequate rationale for having contingencies, i.e. firewalls? A risk/threat needn’t only be an external malicious actor. One’s own mistakes could certainly be interpreted as a potential threat, and are, therefore, worthy of mitigation.
Well, no, not necessarily. It’s important to understand what the purpose of the firewall is. If a device can potentially become an attack vector, it’s important to take precautions against that – you’d want to secure other devices on the network in the off chance that it does become compromised, or secure that very device to limit the potential damage that it could inflict.
They also would not realistically be doing anything that would cause open ports on their machine to serve data to some external application. It’s not like someone can just “hack” your computer by picking a random port and weaseling their way in. They have to have some exploitable mechanism on the machine that serves data in a way that’s insecure.
I am assuming that there’s a hierarchy of needs in terms of maintaining any Linux system. Whenever you learn how to use something (and you would have to learn how to use a firewall), you are sacrificing time and energy that would be spent learning something else. Knowing how your package manager works, or how to use systemctl, or understanding your file system structure, or any number of pieces of fundamental Linux knowledge is, for a less technically sophisticated user, going to do comparatively more to guarantee the longevity and health of their system than learning how to use a firewall, which is something capable of severely negatively impacting your user experience if you misconfigure it. In other words: don’t mess around with a firewall if you don’t know what you’re doing. Use your time learning other things first if you’re a not technically sophisticated user. I also don’t exactly know what “mistakes” you’d be mitigating by installing a firewall if you aren’t binding processes to those ports (something a novice user should not be doing anyway).
You just wrote that “One’s own mistakes could certainly be interpreted as a potential threat, and are, therefore, worthy of mitigation.” The best way of mitigating mistakes is by not making them in the first place, or creating a scenario in which you could potentially make them. Prevention is always better than cure. You should never open ports on your local network. Ever. I don’t care if you have firewalls on everything down to your smart thermostat - if you need to expose locally hosted services you should be maintaining a cloud VM or similar cloud based service that forwards connections to the desired service on your internal network via a VPN like Tailscale. Or, even better, just put Tailscale’s service on whatever machine you’re using that needs access to your personal network. And, yes, if you’re doing things like that, you would also want robust firewall protections everywhere. But the firewall simply isn’t ever “enough.”
Anyway, just my 2 cents. The more you know and do, the greater steps you should take to protect yourself. For someone who knows very little, the most important thing that can help them is knowing more, and there is a hierarchy of learning that will take them from “knowing little” to “knowing much,” but they shouldn’t/don’t need to concern themselves with certain mechanisms before they know enough to reliably use them or mitigate their own mistakes. That said, if you are a new user, you’re probably installing a linux distro that already comes with its own preconfigured firewall that’s already running and you just don’t know about it. In which case, moot point. If you’re not, though, I’m assuming your goal is learning linux stuff, in which case, I’ve gone into that.
They may not explicitly do it, no, but I could certainly see the possibility of the software that they use having such a vulnerability, or even a malicious bit of software inadvertently being installed on their device.
This sort of skirts around answering the question.
But mistakes will be made all the same.
This is exactly the point that I am trying to make. Having contingencies in place on the off chance that something doesn’t go as expected could certainly be interpreted as “prevention”.
What would be the rationale for this statement?
I’m not sure that I understand what issue that this would solve. Would the malicious connections not still be forwarded through the VPN to the service? I am quite lacking in knowledge on Tailscale, and how related infrastructure is used in production, so please pardon my ignorance.