this post was submitted on 27 Sep 2024
81 points (96.6% liked)

Linux

48254 readers
416 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hey there folks,

I'm trying to figure out how to configure my UFW, and I'm just not sure where to start. What can I do to see the intetnet traffic from individual apps so I can know what I might want to block? This is just my personal computer and I'm a total newbie to configuring firewalls so I'm just not sure how to go about it. Most online guides seem to assume one already knows what they want to block but I don't even know how/where to monitor local traffic to figure out what I can/should consider blocking.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (2 children)

You don't need a firewall on a typical desktop computer. You only need them on routers and servers.

That is because your personal computer is not actually on the internet. It is on a local network (LAN) and it talks only to your router. The router is the computer connected to the internet, and it has a firewall.

The question highlights a classic misunderstanding about networking that IMO should be better addressed. I was like OP once, and panicking about this pointlessly.

Addendum: You're all replying to OP as if they're a sysadmin managing a public-facing server. But OP says clearly that they're just a beginner on a PC - which will almost certainly be firewalled by their router. We should be encouraging and educating people like this, not terrorizing them about all the risks they're taking.

[–] [email protected] 7 points 1 month ago (2 children)

I think you need a bit of Swiss cheese in your security philosophy. Relying only on your router's firewall is a single point of failure. If it fails you are screwed. Relying on multiple layers means if one layer fails, another one might save you.

swiss cheese security model

[–] [email protected] 3 points 1 month ago (1 children)

Well, screwed I will be, then. I'm not going to waste my life babysitting a bespoke firewall on my Ubuntu Desktop.

And it seems like a bad idea to be telling beginners on Ubuntu or Mint whatever that their "security philosophy is flawed" and they must imperatively run these 10 lines of mysterious code or else bad things will happen.

This whole discussion looks like a misunderstanding. OP is not a sysadmin on public-facing server. They are a beginner on a laptop at home.

[–] reklis 7 points 1 month ago (1 children)

I mostly agree with you, but given it’s a laptop that may not always be at home. It is wise to consider enabling the firewall when connecting to other untrusted networks like Starbucks

[–] [email protected] 1 points 1 month ago

Yes, fair point.

As I understand it, the main risk of an untrusted local network is with DNS. The best precaution being to set it manually (to 1.1.1.1 for example or ideally something less centralized). Actually I used to do that myself, running a stub DNS server on localhost. This kind of option really should be in every OS by default.

Would be interested to know the consensus on better locking down a roving laptop.

[–] [email protected] 0 points 1 month ago

You don't understand networking. The local firewall will only stop traffic coming in locally and your average Linux desktop doesn't have services listening outside of localhost anyway

[–] [email protected] 1 points 1 month ago (1 children)

Unless your ISP provides IPv6 connectivity, which gives every endpoint a globally-routable address. Firewalling at the router only works because of NAT.

[–] [email protected] 1 points 1 month ago (1 children)

That's why I wrote typical. The question was from a beginner, not a networking expert.

[–] [email protected] 1 points 1 month ago

Indeed... IPv6 needs to be actively disabled, not enabled, by default.