I’ve spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:
- “It’s just good security practice.”
- “You need it if you are running a server.”
- “You need it if you don’t trust the other devices on the network.”
- “You need it if you are not behind a NAT.”
- “You need it if you don’t trust the software running on your computer.”
The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you’re doing it – it is essentially a non-answer. #2 is strange – why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access. #4 feels like an extension of #3 – only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.
If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?
Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always (and even being extremely specialized, I would still enable a firewall. :-P)
Operating systems nowadays are extremely complex with a lot of moving parts. There are security relevant bugs in your network stack and in all applications that you are running. There might be open ports on your computer you did not even think about, and unless you are monitoring 24/7 your local open ports, you don’t know what is open.
First of all, you can never trust other devices on a network. There is no way to know, if they are compromised. You can also never trust the software running on your own computer - just look at CVEs, even without malicious intentions your software is not secure and never will be.
As soon as you are part of a network, your computer is exposed, doesn’t matter if desktop/laptop, and especially for attacking Linux there is a lot of drive by attacks happening 24/7.
Your needs for firewalls mostly depend on your threat model, but just disabling accepting incoming requests is trivial and increases your security by a great margin. Further, setting a rate limit for failed connection attempts for open ports like SSH if you use this services, is another big improvement for security. (… and of course disabling password authentication, YADA YADA)
That said, obviously security has to be seen in context, the only snake oil that I know of are virus scanners, but that’s another story.
People, which claim you don’t need a firewall make at least one of the following wrong assumptions:
- Your software is secure - demonstrably wrong, as proven by CVEs
- You know exactly what is running/reachable on your computer - this might be correct for very small specialized embedded systems, even for them one still must always assume security relevant bugs in software/hardware/drivers
Security is a game, and no usable system can be absolutely secure. With firewalls, you can (hopefully) increase the price for successful attacks, and that is important.
You may also want to check up on regulations and laws of your country.
In Belgium, for instance, I am responsible for any and all attacks originating from my PC. If you were hacked and said hackers used your computer to stage an attack, the burden of proof is upon you. So instead of hiring very expensive people to trace the real source of an attack originating from your own PC, enabling a firewall just makes sense, besides making it harder on hackers…
Other comments have hit this, but one reason is simply to be an extra layer. You won’t always know what software is listening for connections. There are obvious ones like web servers, but less obvious ones like Skype. By rejecting all incoming traffic by default and only allowing things explicitly, you avoid the scenario where you leave something listening by accident.
If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in.
You say that like that isn’t providing value. How many services are listening on a port on your system right now? Run ‘ss -ltpu’ and prepare to be surprised.
Security isn’t about “this will make you secure” it’s about layers of protection and probability. It’s a “good practice” because people make mistakes and having a second line of defense helps reduce the odds of a hack.
In the military when learning ORM we called this the “swiss cheese” theory.
The more layers of sliced swiss cheese, the fewer holes that go all the way through.
Security isn’t about “this will make you secure” it’s about layers of protection and probability. It’s a “good practice” because people make mistakes and having a second line of defense helps reduce the odds of a hack.
AKA Defense In Depth and should be considered for any type of security.
When you expose ports to the Internet. It’s honestly interesting to setup a Web server with the default page on it and see how quickly you get hits on it. You don’t need to register a DNS or be part of an index anywhere. If you open a port (and your router does forward it) then you WILL get scanned for vulnerabilities. It’s like going naked in the forest, you sure can do that but clothes help, even if it’s “just” again ivy or random critters. Now obviously the LONGER you run naked or leave a computer exposed, the most likely you are to get a bad bug.
Can confirm. As an example, I’m developing a game server that runs a raw socket connection over the Telnet port. Within 10 minutes of opening the port, I reliably get requests trying to use Telnet to enable command mode or login as admin. People are constantly scanning.
Ya. And sometimes hosting companies run active scans on customer machines. I get a crazy number of login attempts over ssh. I ❤️ fail2ban
Always, as others have said.
You always need a firewall, no other answer’s.
Why do you think windows and most linix distributions come packaged with one?
#2 is strange – why does it matter?
It doesn’t. If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?
If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?
Who is “they”? What about all the other ports?
Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?
Obviously you shouldn’t have insecure things listening there in the fist place but you don’t always get to choose whether some thing you’re hosting is currently secure or not or may not care too much because it’s just on the local network and you didn’t expose it to the internet.
This is what defense in depth is about; making it less likely for something to happen or the attack less potent even if your primary protections have failed.#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access
Mostly addressed by the above but also note that you likely do have applications listening on ports you didn’t know about. Take a look at
sudo ss -utpnl.#5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.
It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.
OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.
People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?
I’d rather liken it to a razor fence around your house, protecting you from thieves even getting near it. Your windows are likely safe from intrusion but they’re known to be fragile. Razor fence can also be cut through but not everyone will have the skill or patience to do so.
If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?
Even if you do trust the software running on your computer, did you actually fuzz it for vulnerabilities? Heartbleed could steal your passwords even if you ran ostensibly trustworthy software.
So unless you harden the software and prove it’s completely exploit-free, then you can’t trust it.
This question reads a bit to me like someone asking, “Why do trapeze artists perform above nets? If they were good at what they did they shouldn’t fall off and need to be caught.”
Do you really need a firewall? Well, are you intimately familiar with every smidgeon of software on your machine, not just userland ones but also system ones, and you understand perfectly under which and only which circumstances any of them open any ports, and have declared that only the specific ports you want open actually are at every moment in time? Yes? You’re that much of a sysadmin god? Then no, I guess you don’t need a firewall.
If instead you happen to be mortal like the rest of us who don’t read and internalize the behaviors of every piddly program that runs or will ever possibly run on our systems, you can always do what we do for every other problem that is too intensive to do manually: script that shit. Tell the computer explicitly which ports it can and cannot open.
Luckily, you don’t even have to start from scratch with a solution like that. There are prefab programs that are ready to do this for you. They’re called firewalls.
Firewall for incoming traffic :
-
If you a home user with your computer or laptop inside a LAN you would not really need a firewall, unless you start to use applications which expose its ports to 0.0.0.0 rather than 127.0.0.1 (I believe Redis server software did this a few years ago) and do not trust other users or devices (smart home devices, phones, tablets, modems, switches and so on) inside your LAN.
-
If you are running a server with just a few services, for example ssh, smtp, https, some hosting company people I knew argue that no firewall is needed. I am not sure, my knowledge is lacking.
Application firewalls, watching also outgoing traffic :
If you compare Linux with some other Operating System you will see that on Linux for years an application firewall was non existing. But there is a choice now : opensnitch This can be useful if you run desktop applications that you do not fully trust, or want more control.
-
You need to understand the mindset behind running a firewall, and that mindset is that you define with mathematical precision what’s possible within the network connectivity of a device, you leave nothing to chance or circumstance, because doing so would be sloppy.
Provided you want to subscribe to this mindset, and that the circumstances of that device warrant it, and that you have the networking knowledge to pull it off, you should in theory start with a DENY policy on everything and open up specific ports for specific users and related connections only. But it’s not trivial and if you’re a beginner it’s best done directly on the server console, because you WILL break your SSH connection doing this. And of course maybe not persist the firewall rules permanently until you’ve learned more and can verify you can get in.
Now obviously this is an extreme mindset and yes you should use it in a professional setting. As a hobbyist? Up to you. In theory you don’t need a firewall if your server only exposes the services you want to expose and you were gonna expose them through the firewall anyway. In practice, keeping track on what’s running on a box and what’s using what connections can be a bit harder than that.
If you’re a beginner my recommendation is to use a dedicated router running OpenWRT with LUCI, which comes with a sensible firewall out of the box, an easy to use UI, and other goodies like an easy to use DNS+DHCP server combo and the ability to install plugins for DoH, DDNS etc.
Firewalls are necessary for least privilege. You only give something access that needs access.
Additionally you should not port forward and especially not port 80.
Yeah like JFC the most insecure way to access the Internet let’s just open it up to the whole world.
When you are attacked. Ok so when are you attacked , as soon as you connect outside. So unless you are air gapped you need a firewall.
TempleOS doesn’t need one
It seems that the consensus from all the comments is that you do in fact need a firewall. So my question is how does that look exactly? A hardware firewall device directly between modem and router? I using the software firewall on the router enough? Or, additionally having software firewall installed on all capable devices on the network? A combination of the above?
Depends on the setup. For most people at home their router also does firewalling and NAT, and that is enough.
Even in corporate it is not uncommon for a firewall to be the gateway, or transparent in between, with maybe more internally too. There are just more routers inside and out, but those routers are real network routers in the traditional sense.
My setup is pretty basic, only thing I have is a media server accessed locally, and a pi running pihole and pivpn that has a port forwarded on my router for remote access. The pi has password login disabled, and the port forward is set to the static IP set for the pi with my router. The router has the firewall set, but nothing on any other machine. Do I need more?
What service do you have forwarded? Do you have any devices on your lan you don’t 100% trust?
I have a similar set up only forwarding a wire guard vpn port. I live alone and fully trust every device on my LAN, so I let my router take care of the firewall and dont have any firewalls on the devices on my lan.
Some will still argue this is bad practice but I really have no desire to toggle firewall rules every time I want to expose a port while I’m developing/testing software. If someone cracks wireguard then I don’t think they will risk exposing the industry halting 0 day to run a crypto miner on my raspberry pi.
IOT and friends get the guest wifi.
wire guard vpn port
This is the only thing forwarded. As for devices the worst offender would be my Roku TV but I’m not sure how much of a security threat that actually would be. More of a privacy threat, hence running pihole.
Any way you could put the roku on guest wifi or does pihole let you block all outgoing traffic? Something like that would make me a little hesitant. My lan has my graphene os device, 3 computers running debian, and an iot smart switch I flashed myself.
Like you said, more of a privacy concern than anything.
Depends on your setup. I got a network-level firewall+router setup between my modem and my LAN. But also, got
firewalld(friendly wrapper on iptables) on every Linux device I care about because I don’t want to unintentionally expose something to the network.hm, guess maybe I should find something for Android and my Windows boxes.
I use the firewall built into Proxmox with a device running openwrt
And like most things related to Linux on the internet, the consensus is generally incorrect. For a typical home user who isn’t opening ports or taking a development laptop to places with unsecure wifi networks, you don’t really need a firewall. It’s completely superflous. Anything you do to your PC that causes you genuine discomfort will more than likely be your own fault rather than an explicit vulnerability. And if you’re opening ports on your home network to do self-hosting, you’re already inviting trouble and a firewall is, in that scenario, a bandaid on a sucking chest wound you self-inflicted.
You’re right. If you don’t open up ports on the machines, you don’t need a firewall to drop the packages to ports that are closed and will drop the packets anyways. So you just need it if your software opens ports that shouldn’t be available to the internet. Or you don’t trust the software to handle things correctly. Or things might change and you or your users install additional software and forget about the consequences.
However, a firewall does other things. For example forwarding traffic. Or in conjunction with fail2ban: blocking people who try to guess ssh passwords and connect to your server multiple times a second.
Edit:
- “It’s just good security practice.” => nearly every time I’ve heard that people followed up with silly recommendations or were selling snake-oil.
- “You [just] need it if you are running a server.” => I’d say it’s more like the opposite. A server is much more of a controlled environment than lets say a home network with random devices and people installing random stuff.
- “You need it if you don’t trust the other devices on the network.” => True, I could for example switch on and off your smarthome lights or disable the alarm and burgle your home. Or print 500 pages.
- “You need it if you are not behind a NAT.” => Common fallacy, If A then B doesn’t mean If B then A. Truth is, if you have a NAT, it does some of the jobs a firewall does. (Dropping incoming traffic.)
- “You need it if you don’t trust the software running on your computer.” => True
You’re right. If you don’t open up ports on the machines, you don’t need a firewall to drop the packages to ports that are closed and will drop the packets anyways.
Sorry, hard disagree.
I assume you are assuming: 1.) You know about all open ports at all times, which is usually not the case 2.) There are no bugs/errors in the network stacks or services with open ports (e.g. you assume a port is only available to localhost) 3.) That there are no timing attacks which can easily be mitigated by a firewall 4.) That software one uses does not trigger/start other services transitively which then open ports you are not even aware of w/o constant port scanning
I agree with your point, that a server is a more controlled environment. Even then, as you pointed out, you want to rate limit bad login attempts via firewall/fail2ban etc. for the simple reason, that even a fully updated ssh server might use a weak key (because of errors/bugs in software/hardware during key generation) and to prevent timing attacks etc.
In summary: IMHO it is bad advice to tell people they don’t need a firewall, because it is demonstrably wrong and just confuses people like OP.
Sure, maybe I’ve worded things too factually and not differentiated between theory and practice. But,
- “you know everything”: I’ve said that. Configurations might change or you you don’t pay enough attention: A firewall adds an extra layer of security. In practice people make mistakes and things are complex. In theory where everything is perfect, blocking an already closed port doesn’t add anything.
- “There are no bugs in the network stack”: Same applies to the firewall. It also has a network stack and an operating system and it’s connected to your private network. Depends on how crappy network stacks you’re running and how the network stack of the firewall compares against that. Might even be the same as on my VPS where Linux runs a firewall and the services. So this isn’t an argument alone, it depends.
- Who migitates for timing attacks? I don’t think this is included in the default setup of any of the commonly used firewalls.
- “open ports you are not even aware of”: You open ports then. And your software isn’t doing what you think it does. We agree that this is a use-case for a firewall. that is what I was trying to convey with the previous argument no 5.
Regarding the summary: I don’t think I want to advise people not to use a firewall. I thought this was a theoretical discussion about single arguments. And it’s complicated and confusing anyways. Which firewall do you run? The default Windows firewall is a completely different thing and setup than nftables and a Linux server that closes everything and only opens ports you specifically allow. Next question: How do you configure it? And where do you even run it? On a seperate host? Do you always rent 2 VPS? Do you do only do perimeter security for your LAN network and run a single firewall? Do you additionally run firewalls on all the connected computers in the network? Does that replace the firewall in front of them? What other means of security protection did you implement? As we said a firewall won’t necessarily protect against weak passwords and keys. And it might not be connected to the software that gets brute-forced and thus just forward the attack. In practice it’s really complicated and it always depends on the exact context. It is good practice to not allow everything by default, but take the approach to block everything and explicitly configure exceptions like a firewall does. It’s not the firewall but this concept behind it that helps.
I think I get you and the ‘theory vs. practice’ point you make is very valid. ;-) I mean, in theory my OS has software w/o bugs, is always up-to-date and 0-days do not exist. (Might even be true in practice for a default OpenBSD installation regarding remote vulnerabilities. :-P)
Who migitates for timing attacks? I don’t think this is included in the default setup of any of the commonly used firewalls.
fail2ban absolutely mitigates a subset of timing attacks in its default setup. ;-)
LIMIT is a high level concept which can easily applied for ufw, don’t know about default setups of commonly used firewalls.
If someone exposes something like SSH or anything else w/o fail2ban/LIMIT IMHO that is grossly incompetent.
You are totally right, of course firewalls have bugs/errors/miss configurations… BUT … if you are using a Linux firewall, good chances are, that the firewall has been reviewed/attacked/pen tested more often and thoroughly than almost all other services reachable from the internet. So, if I have to choose between a potential attacker first hitting a well tested and maintained firewall software or a MySQL server, which got no love from Orcacle and lives in my distribution as an outdated package, I’ll put my money on the firewall every single time. ;-)
Thank you for pointing out that my arguments don’t necessarily apply to reality. Sometimes I answer questions too direct. And the question wasn’t “should I use a firewall” or I would have answered with “probably yes.”
I think I have to make a few slight corrections: I think we use the word “timing attack” differently. To me a timing attack is something that relies on the exact order or interval/distance packets arrive at. I was thinking of something like TOR does where it shuffles around packets, waits for a few milliseconds, merges them or maybe blows them up so they all have the same size. Brute forcing something isn’t exploiting the exact time where a certain packet arrives, it’s just sending many of them and the other side lets the attacker try an indefinite amount of passwords. But I wouldn’t put that in the same category with timing attacks.
Firewall vs MySQL: I don’t think that is a valid comparison. The firewall doesn’t necessarily look into the packets and detect that someone is running a SQL injection. Both do a very different job. And if the firewall doesn’t do deep-packet-inspection or rate limiting or something, it just forwards the attack to the service and it passes through anyways. And MySQL probably isn’t a good example since it rarely should be exposed to the internet in the first place. I’ve configured MariaDB just to listen on the internal interface and not to packets from other computers. Additionally I didn’t open the port in the firewall but MariaDB doesn’t listen on that interface anyways. Maybe a better comparison would be a webserver with https. The firewall can’t look into the packets because it’s encrypted traffic. It can’t tell apart an attack from a legitimate request and just forwards them to the webserver. Now it’s the same with or without a firewall. Or you terminate the encrypted traffic at the firewall, do packet inspection or complicated heuristics. But that shifts the complexity (including potential security vulberabilities in complex code) from the webserver to the firewall. And it’s a niche setup that also isn’t well tested. And you need to predict the attacks. If your software has known vulnerabilities that won’t get fixed, this is a valid approach. But you can’t know future attacks.
Having a return channel from the webserver/software to the firewall so the application can report an attack and order the firewall to block the traffic is a good thing. That’s what fail2ban is for. I think it should be included by default wherever possible.
I think there is no way around using well-written software if you expose it to the internet (like a webserver or a service that is used by other people.) If it doesn’t need to be exposed to the internet, don’t do it. Any means of assuring that are alright. For crappy software that is exposed and needs to be exposed, a firewall doesn’t do much. The correct tools for that are virtualization, containers, VPNs, and replacing that software… Maybe also the firewall if it can tell apart good and bad actors by some means. But most of the time that’s impossible for the firewall to tell.
I agree. You absolutely need to do something about security if you run services on the internet. I do and have ran a few services. And especially webserver-logs (especially if you have a wordpress install or some other commonly attacked CMS), SSH and Voice-over-IP servers get bombarded with automated attacks. Same for Remote-Desktop, Windows-Networkshares and IoT devices. If I disable fail2ban, the attackers ramp up the traffic and I can see attacks scroll through the logfiles all day.
I think a good approach is:
- Choose safe passwords and keys.
- Don’t allow people to brute-force your login credentials.
- If you don’t need a service, deactivate it entirely and remove the software.
- If you just need a service internally, don’t expose it to the internet. A firewall will help, and most software I use can be configured to either listen on external requests or don’t do it. Also configure your software to just listen on/to localhost (127.0.0.1). Or just the LAN that contains the other things that tie into it. Doing it at two distinct layers helps if you make mistakes or something happens by accident or complexity or security vulnerabilities arise. (Or you’re not in complete control of everything and every possibility.)
- If only some people need a service, either make it as secure as a public service or hide it behind a VPN.
- Perimeter security isn’t the answer to everything. The subject is complex and we have to look at the context. Generally it adds, though.
- If you run a public service, do it right. Follow state of the art security practices. It’s always complicated and depends on your setup and your attackers. There are entire books written about it, people dedicate their whole career to it. For every specific piece of software and combination, there are best practices and specific methods to follow and implement. Lots of things aren’t obvious.
- Do updates and backups.
