Firewall Best Practices?

brent

I'm aware that outside of your hundreds of ports are the worst vermin out there sniffing, waiting for crack in the door.
Since my life went Linux about 8 years ago I've only done a single thing, even if I hop: UFW, deny incoming, allow outgoing, the end.

Year go by and I wonder: is this good enough?

Anybody do anything extra with their IPtables?
Anybody still using a thorough hosts file?
Do many of you accomplish all this with an external router alone?
If you don't subscribe to anything streaming and don't mass game-play should you block most ports?

Lot's of talk about doing stuff based on your "threat model" which is irrelevant to me. I'm a normal person who doesn't want creepos coming in through a crack in the door. Too many stories of people who were punked and all info erased plus a million other horror stories.

What are your best firewall practices or similar? Truly interested. Thank you.

elfprince

brent ufw it is here as well, default settings. My thought is to keep all important data backed up and synced regularly. Sensitive files encrypted.
Aside from that, if anything, I'll call Batman.

Harvey

The reality is that unless you install a service like openssh-server etc then there is nothing on your system listening on a port to allow authorised access and so a firewall is rather pointless.

If you do run services like openssh-server then you can allow access to only IP's you intend to connect from on a specific port.

Since deny incoming, allow outgoing is the default on ufw and you said you have no other rules that implies you are not using any other services such as openssh-server because without additional rules opening a hole it would not be able to accept any connections, which means you might as well uninstall the firewall.

brent

Harvey

Harvey you said you have no other rules that implies you are not using any other services such as openssh-server because without additional rules opening a hole it would not be able to accept any connections, which means you might as well uninstall the firewall.

now that's a fresh take for sure--or just eye-opening 🙂. It implies I am just as safe without a firewall? Or do you mean I need to load the tables up with rules?

penny-farthing

Harvey

It seems to me that when you installed gufw (the graphical version of the ufw package), you had to first open it and then activate the default settings for it to be operational.

Personally, I blocked incoming and outgoing connections and I allowed incoming connections (IN) to port 80 (HTTP) and 443 (HTTPS), I also added other rules.
I was inspired by this little tutorial:
https://codedesign.fr/tutorial/firewall-facile-serveur-ufw/

So, it wasn't necessary?

Axios

brent Linux even tho I have a firewall installed havent used it much add some
stuff to make one program work and thats about it.
But on windows I used like malwarebytes firewall which I can control whats leaving my computer
(More of a risk than incoming in my mind and stuff leaving I did not know about) takes a little learning curve doing things that way.
I just havent worried about it much on linux.
Do the same on my mac.
There is one for linux that works that way got it bookmarked somewhere but not sure about using on solus.

WetGeek

brent It implies I am just as safe without a firewall?

Years ago, when I was new to Linux, I ran Open SuSE, and set up complicated allow/deny/port rules, but I eventually mellowed and haven't configured a firewall in a very long time. I do plenty of downloading and streaming.

Our TV uses streaming only, and sometimes I watch the news on my laptop while my wife watches her favorite game shows on the big-sreen.
Never had an incident I could honestly blame on the lack of a firewall.

Harvey

You are fine without a firewall. Leaving it there isn't doing any harm though.

brent

Axios I just havent worried about it much on linux.

I heard this ^ when i signed up in 2017 and am hearing it now tonight. Will leave well enough alone! A lot of chatter says bad guys catching up to us since 2017 and that makes sense so what chatter do I trust?

Malwarebytes FW? you don't trust defender? malwarebytes...remember avast, cc cleaner, I am forgetting about 48 products I needed to keep windows barely safe...the only person I trusted was OTC oldtimer tools. and black vipers' service shutdown list.....I can't believe we were forced to live a computing life as ridiculous as that.

brent

WetGeek Never had an incident I could honestly blame on the lack of a firewall.

It just occurred to me "neither have I." That says a lot when I stand back and look at it like that. Harvey and you are correct. Maybe it's just internet best practices that dictate your safety, not necessarily a firewall.

Axios

This is what I would like to see for Solus
https://github.com/evilsocket/opensnitch?tab=readme-ov-file#key-features

brent

Axios at the link you gave for opensnitch they furnish another link for linux people using their tool who found creepy-crawlies using their app:

I'll be here reading for a little while.
love to see it in repo. i don't know if the average guy/gal (me) can interpret this stuff like a pro but anybody willing to learn can do it.

Harvey

brent people using their tool who found creepy-crawlies using their app:

Doubt it.

vivaldi web browser trying to download external packages

Without reading the thread I can tell you they are likely using a Debian based system. It is running a post-install script to get codecs required for video playback. Most other distributions do not use this script instead choosing to provide their own codecs package.

🚨 Normal behaviour detected 🚨 🚔️

brent

Harvey oh yes, when you read the posts you see things like gnome-software calling out to sketchy servers until the OP finally realized it was to fetch an icon for telegram that the SC needed...the opensnitch github page says click this link called "Examples of OpenSnitch intercepting unexpected connections:" So I did and posted the pic.

Many of them were "damn it was really an icon for telegram all along," but there was some weird stuff but not as much as I thought.

I agree with @Axios I would love to see repo inclusion if only for people to what calls who and why and maybe conclude what you said "normal behavior here." It's a safer toy than bleachbit🙂

Axios

As you can see by what you researched a program like that is a wealth of information and gives you
control over events if you so wish.
Its just another thing in my toolbox I use (little snitch) on the mac not sure if the two are related never
researched it.
Not everything is the (Sky is falling thing) but something a person may want to research.
For a casual computer user it is probably to much but for a seasoned user would be no problem using it.

Using Malwarebytes firewall (windows) and little snitch (mac) they are along the same lines I dont know the stuff
linux does havent used anything on it to really know yet.

Just something I do gives me control and peace of mind I guess..lol

stalebrim

The discovery about CUPS proved that having a firewall isn't pointless at all.

Harvey

To my understanding cups-browsed appears to have been added to the repo 5 months ago and is what listens to *:631 while CUPS only listens to localhost:631

So given defaults change over time and people won't notice (including me), yes installing a firewall even if you do no additional configuration makes sense. Although I personally would prefer we just not enable stuff like this by default.

brent

Harvey So given defaults change over time and people won't notice (including me), yes installing a firewall even if you do no additional configuration makes sense. Although I personally would prefer we just not enable stuff like this by default.

we all didn't notice 5 months ago. from my reading, users who are not on a printing network and just have a home printer can go ahead and uninstall this anyway since it's useless to the home user? Is that correct?

brent

epilogue: what someone told me in 2017 still rings true regarding basic port security: install ufw, enable and set to default, then forget about it.

it never seemed like overkill and more like a security blanket.
I have to deal with firewalldin the backup distro and that is un-necessarily monstrous in scope.

Harvey

brent

cups-browsed is only useful for some printers if you do not need it you should be able to remove it,

stalebrim

Harvey Nope, system-config-printer depends on it.