I’ve got two services on my computer. One is for email, I want that this port to be open to the public WAN and one is for immich which hosts all my private pictures, I don’t want this port to be public but reachable on LAN. In my router I open the port for email but not for immich. Emal can communicate on LAN and WAN and immich only on LAN. On a foreign, untrusted LAN, like an airport I don’t want other people being able to sniff my immich traffic which is why I have another firewall setting for an untrusted LAN.
Even if you do trust the software running on your computer, did you actually fuzz it for vulnerabilities? Heartbleed could steal your passwords even if you ran ostensibly trustworthy software.
So unless you harden the software and prove it’s completely exploit-free, then you can’t trust it.
You always need it and you actually use it. The smarter question is when you need to customize its settings. Defaults are robust enough, so unless you know what and why you need to change, you don’t.
#1 leaves a lot to be desired, as it advocates for doing something without thinking about why you’re doing it – it is essentially a non-answer.
Agreed. That’s mostly BS from people who make commissions from some vendor.
#2 is strange – why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?
A Firewall might be more advanced than just NAT/poking a hole, it may do intrusion detection (whatever that means) and DDoS protection
#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access.
Maybe you’ve a bunch of IoT devices in your network that are sold by a Chinese company or any IoT device (lol) and you don’t want them to be able to access the internet because they’ll establish connections to shady places and might be used to access your network and other devices inside it.
#5 is the only one that makes some sense;
Essentially the same answer and in #3
If we’re talking about your home setup and/or homelab just don’t get a hardware firewall, those are overpriced and won’t add much value. You’re better off by buying an OpenWRT compatible router and ditching your ISP router. OpenWRT does NAT and has a firewall that is easy to manage and setup whatever policies you might need to restrict specific devices. You’ll also be able to setup things such as DoH / DoT for your entire network, setup a quick Wireguard VPN to access your local services from the outside in a safe way and maybe use it to setup a couple of network shares. Much more value for most people, way cheaper.
You most likely don’t need on device firewall if your in your home network behind a router that has a firewall. If you‘d disable that firewall as well and one of your devices has e.g. SSH activated using username and password, than there is nothing stopping a “hacker” or “script kiddy” from penetrating/spamming your SSH port and brute force your password. The person than can take over your PC and can e.g. install software for his botnet or install keylogger or can overtake your browser session including all authentication cookies or many other bad stuff.
If you are using puplic WiFi, I’d recommend a good on device firewall, or better just use a VPN to get an encrypted tunnel to your home (where you would need to open a port for that tho) and go into the internet from there.
If you are happy with the way things are no need to change, want to Ty something out ? Live CD or VM. Dual boot if you want to keep 2 systems. Mint is pretty good. I like peppermint myself. A halfway stop between mint and arch. Shit works out of the box but runs on 1 GB ram. Worth checking out if you want to get some extra out of you computer
For me, it’s primarily #5: I want to know which apps are accessing the network and when, and have control over what I allow and what I don’t. I’ve caught lots of daemons for software that I hadn’t noticed was running and random telemetry activity that way, and it’s helped me sort-of sandbox software that IMO does not need access to the network.
Not much to say about the other reasons, other than #2 makes more sense in the context of working with other people: If your policy is “this is meant to be an HTTPS-only machine,” then you might want to enforce that at the firewall level to prevent some careless developer from serving the app on port 80 (HTTP), or exposing the database port while they’re throwing spaghetti at the wall wrestling with some bug. That careless developer could be future-you, of course. Then once you have a policy you like, it’s also easier to copy a firewall config around to multiple machines (which may be running different apps), instead of just making sure to get it consistently right on a server-by-server basis.
So… Necessary? Not for any reason I can think of. But useful, especially as systems and teams grow.
The time I spent “distro hopping” back in high school was because I didn’t have the balls to commit to a single distro. Even then the only time I actually switched was when I made a config change that blew up in my face so badly I needed to reinstall anyway.
If you’ve found a setup you’re happy with, by all means, stick with it. You’re not missing out on much by not voluntarily erasing your boot drive and installing an entirely new OS every week or so for no reason other than it looked cool.
(If you’re about to suggest dual booting multiple Linux distros, no. Just stop. I tried that once. You would not believe how many issues are caused by sharing a ~/.config between two systems with slightly different versions of the same software.)
It doesn’t. If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?
If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?
Who is “they”? What about all the other ports?
Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?
Obviously you shouldn’t have insecure things listening there in the fist place but you don’t always get to choose whether some thing you’re hosting is currently secure or not or may not care too much because it’s just on the local network and you didn’t expose it to the internet.
This is what defense in depth is about; making it less likely for something to happen or the attack less potent even if your primary protections have failed.
#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access
Mostly addressed by the above but also note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.
#5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.
It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.
OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.
People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?
I’d rather liken it to a razor fence around your house, protecting you from thieves even getting near it. Your windows are likely safe from intrusion but they’re known to be fragile. Razor fence can also be cut through but not everyone will have the skill or patience to do so.
If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?
If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?
This is a fair point that I hadn’t considered for the mobile use-case.
Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?
Fair point!
note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.
Interesting! In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?
It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.
OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.
It could also be malicious software that simply makes a request to a remote server – perhaps even siphoning your local data.
If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?
In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?
That’s exactly the kind of thing I meant :)
These are likely for things like in-house streaming, LAN game downloads and remote music playing, so you may even want to consider explicitly allowing them through the firewall but they’re also potential security holes of applications running under your user that you have largely no control over.
Surface Laptop 3 running Kubuntu, such an improvement over what it was “designed” for.
I’m sure it is an improvement until… you’ve to use Wine to run something Windows only or a VM and end up on the exact same spot as initially but with extra steps and less performance. 😂 😂 😂
Except battery lasts more on Linux. Not to mention suspend ACTUALLY works, and won’t wake at random times while in your backpack and kill your battery before you can actually use it when you need it. Which Windows does. And yeah, most people do NOT need anything specific from Microsoft to be productive.
If every day is 1 min faster and 1 day a week is 5 min slower, that’s still a net gain. And that’s assuming that they need to run a windows-only app which a surprising amount of people don’t.
Like what, what format would this be? Regardless every company I have ever worked for issue me a laptop with windows anyway, so why would the OS I choose to use on hardware I own be a factor for work? Even then, if they didn’t I don’t know of any format that I would need that would be an issue.
Not sure about your life, but I don’t count things I enjoy as “work” especially when its not work. I enjoy using Linux, I enjoy my home lab why should I need to justify it when it brings me joy? Linux works for me and my workflow, just because it doesn’t work for yours, don’t try to shit on other people.
No no, no justification required :). It isn’t also about working or not for me. It is just that there’s a bunch of people arguing around here that Linux (desktop) is great for every use case be it work or play under any circumstance, while it isn’t.
I never made such a comment. Gaming, for me is a big reason why I only have windows installed on my PC (and adobe) there are games which work on Linux (either natively or with Proton) but some games I play, don’t. Theres no point in me dual booting as, let’s be honest, dual booting just adds more steps and overcomplicates things. I use Linux on my laptop as the alternatives I use (Darktable and Kdenlive) are more than good enough for when I’m on my laptop (its not exactly a powerhouse) but when I’m on my desktop I want to use Lightroom, Photoshop and DaVinci Resolve as they are more refined and fit my workflow better.
Unraid on my server is just because its exactly what I need.
You’re in a Linux community here man, you’re going to be outnumbered. I think people here genuinely don’t rely on Windows stuff as much as you think.
Last time I needed Windows was a few years ago when I wanted to do a firmware upgrade to my guitar processor. In the meantime I upgraded to one that itself runs Linux :)
I think lots of people exaggerate their need for certain apps. I understand if you need Photoshop for work because it may be the best tool for the job and an industry standard, but some people swear they “need” it when all they do is apply blur or red eye reduction to a picture once every 3 years. Nowadays you can probably do that in dozens of other ways.
I’ve been Linux only since late 2015 and in this time I “needed” a Windows VM ~ 2 times, but ofc personal experiences can vary greatly.
I don’t need it for windows applications, its basically something I can use for light photo and video editing and uploading to my server, all the heavy lifting is done on my PC which has windows because of adobe and better support for X264 and X265 when video editing.
Well in that case; My windows PC falls back to a server running Linux as that’s where all my files are, where my docker containers and VMs all run off… I can spin up a new PC in minutes (windows or Linux) as everything is done off the server, including staging my devices.
…yes, but that’s a minority of the time. Cumalitively the slightly bad experience averages out with the 99% of the time better experience to be solidly superior
linux
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.