Should we still use firewall?

Pirx · 2025-03-11 12:46:24

Majority of Linux distros comes with a firewall preinstalled, but it's usually disabled by default. I always enable it with a very simple rule (outgoing - yes, incoming - no), but many people argue that there is no need to do it, because your router/ISP provides one for you. Do you use firewall on your home/desktop machine (we're not discussing servers here)?

Last edited by Pirx (2025-03-11 12:46:40)

marens · 2025-03-11 13:15:21

$ sudo ufw status verbose
[sudo] password for marens: 
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

Head_on_a_Stick · 2025-03-11 14:55:04

The router's hardware firewall should be all you need if your local network can be trusted but most routers have out of date software and/or firmware and may be vulnerable. That being the case a basic firewall on the local machines can be a good idea, especially if you're running something like Debian that enables and starts systemd services provided by packages automatically on installation.

I use nftables and the supplied workstation configuration with an extra hole punched for SSH:

~$ cat /etc/nftables.conf               
flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		# accept any localhost traffic
		iif lo accept

		# accept traffic originated from us
		ct state established,related accept

		# allow ssh
		tcp dport ssh accept

		# accept neighbour discovery otherwise IPv6 connectivity breaks
		icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
	}
}
~$ doas nft list ruleset   
table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept
		ct state established,related accept
		tcp dport 22 accept
		icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
	}
}
~$

Apologies for the stupidly wide tabs, I use 3-space tabs (which is the correct amount) but the forum software has inserted 8 spaces. Grrr.

Pirx · 2025-03-11 19:19:27

Head_on_a_Stick wrote:

That being the case a basic firewall on the local machines can be a good idea, especially if you're running something like Debian that enables and starts systemd services provided by packages automatically on installation.

Then why all Debian-based distros come with a firewall that is disabled by default? I just don't get it...

Head_on_a_Stick · 2025-03-11 21:10:55

In most distributions (including Debian-based), the firewall is enabled by default but it is set to allow all traffic, which is the only sensible default.

Pirx · 2025-03-11 21:36:25

Wouldn't be not including firewall at all a more sensible default?

Head_on_a_Stick · 2025-03-11 21:57:02

The firewall is part of the kernel. Not including the userspace tools needed to manipulate the firewall would mean that users would have to connect to the network without a firewall to download the tools needed to bring it up.

Pirx · 2025-03-11 23:18:35

But if the firewall is set to allow all traffic then what's the difference?

Head_on_a_Stick · 2025-03-13 07:16:25

The firewall needs to be present at first boot because security-conscious users won't want to connect without one but it must have an open ruleset because otherwise it would restrict some users unnecessarily.

Pirx · 2025-03-13 08:24:14

OK. That makes sense.

#1 2025-03-11 12:46:24

Should we still use firewall?

#2 2025-03-11 13:15:21

Re: Should we still use firewall?

#3 2025-03-11 14:55:04

Re: Should we still use firewall?

#4 2025-03-11 19:19:27

Re: Should we still use firewall?

#5 2025-03-11 21:10:55

Re: Should we still use firewall?

#6 2025-03-11 21:36:25

Re: Should we still use firewall?

#7 2025-03-11 21:57:02

Re: Should we still use firewall?

#8 2025-03-11 23:18:35

Re: Should we still use firewall?

#9 2025-03-13 07:16:25

Re: Should we still use firewall?

#10 2025-03-13 08:24:14

Re: Should we still use firewall?

Board footer