You are not logged in.

#1 2020-01-09 19:54:09

Simaryp
Member
Registered: 2018-04-28
Posts: 141

Firewall on clientside?

I recently read a bit about routers and firewalls based on linux and bsd. Then I noticed that the recommendation guide in the arch wiki recommends to install and configure a firewall in general.
I think I never configured a firewall or an antivirus software in linux ever and had always the feeling that it's quite uncommon. Now I am a bit surprised. So should I configure nftables on all my clients? And why is the router not sufficient? Or is it maybe because of foreign WLANs?

In case it belongs more to the newbie corner, feel free to move it.

Offline

#2 2020-01-09 20:07:22

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Firewall on clientside?

Simaryp wrote:

So should I configure nftables on all my clients? And why is the router not sufficient? Or is it maybe because of foreign WLANs?

1) Up to you
2) Mainly, some people don't control or have much control of their router.  Additionally, there's no harm in an additional layer of securty.
3) This is definitely another good reason to set up a firewall on your own system.

There is no harm I could think of from running a firewall on your system.  The question is are you in a situation such that you'd find benefits from it.

Do you run any servers or software that opens up any ports?  If not, a firewall would serve no purpose.  I do not run a firewall on my computer.  But I have *very* limited software running so there is nothing to open or listen on various ports.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2020-01-10 05:27:16

Simaryp
Member
Registered: 2018-04-28
Posts: 141

Re: Firewall on clientside?

Trilby wrote:

The question is are you in a situation such that you'd find benefits from it.

Do you run any servers or software that opens up any ports?  If not, a firewall would serve no purpose.  I do not run a firewall on my computer.  But I have *very* limited software running so there is nothing to open or listen on various ports.

That is exactly my question. My understanding was that if I don't have a Firewall installed all Ports are reachable. Of course there is maybe no service listening to those ports. Actually I am unaware of what services are set up by default or maybe some software that are listening to some ports.

I have at home some machines that are listening to ssh or have some services running, but I guess they are protected by the firewall of my router. I have the idea to set up some vlans at home for further protection from my lan, but this is then also done by a router.

For my laptop in a foreign network I have actually no clue what the attack surface would be and how I should configure a firewall on the workstation for that purpose. Of course I have to allow some network traffic on the machine or I could simply not connect to the network at all. But since I have no clue about the infrastructure of random hotel networks or friends places or what so ever, how should I actually know what to block and what to allow.

Generally speaking, from my experience were firewalls on clients a topic I know from Windows over a decade ago and it became common opinion that they are more or less useless or even a threat. Antivirus on windows is still important, but for linux my hole lifetime I heard it's not important, maybe only to protect some windows machines, which I don't really have. So this advice in the general recommendations section really confused me and now I want to understand in more details, why I should do what.

Offline

#4 2020-01-10 12:27:58

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Firewall on clientside?

Simaryp wrote:

For my laptop in a foreign network I have actually no clue what the attack surface would be and how I should configure a firewall on the workstation for that purpose. Of course I have to allow some network traffic on the machine or I could simply not connect to the network at all. But since I have no clue about the infrastructure of random hotel networks or friends places or what so ever, how should I actually know what to block and what to allow.

There is no need to know anything about the "infrastructure" of those places.  Allow what you know you want, block everything else.  But again, if you don't have any servers listening on ports, this is irrelevant.  If you don't know, check:
https://access.redhat.com/documentation … ports.html

Don't try to approach the situation by guessing at what a potential attacker might want and blocking that.  Figure out what you want open, and block anything else (if there is anything at all to block).

Last edited by Trilby (2020-01-10 13:08:51)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2020-01-10 12:57:21

JeanLucJ
Member
Registered: 2019-03-08
Posts: 59

Re: Firewall on clientside?

Simaryp wrote:

I recently read a bit about routers and firewalls based on linux and bsd. Then I noticed that the recommendation guide in the arch wiki recommends to install and configure a firewall in general.
I think I never configured a firewall or an antivirus software in linux ever and had always the feeling that it's quite uncommon. Now I am a bit surprised. So should I configure nftables on all my clients? And why is the router not sufficient? Or is it maybe because of foreign WLANs?

In case it belongs more to the newbie corner, feel free to move it.

Hello,

Security advices sometimes sound like paranoia, yet when it costs almost nothing (it's very quick to setup iptables, for example)... why take the risk?
With a very classic firewall configuration, any malicious code that wants to open a port to the outside can't (unless given root access ofc).
A router offers another degree of protection (in a classic setup, there must be a port forward to actually access your computer which need admin access... unless there is a design flaw in the router - you see the paranoia coming? - or a very loose setup. Related example : in France, Freebox router had no IPV6 firewall during a few monthes after they activated IPV6)

But you can also make mistakes : I'm like you, I never installed any firewall on my computers for a long time.

Some time ago, I have been setting up a server, with an encrypted drive and remote unlocking using mkinit-cpio-dropbear.
The package had a bug, so I did some fiddling on my laptop to have it running.

A while later, I did a scan of my ports due to some problems with cups. I was very surprised to see a service opened on port 22.
It was the dropbear service, that I had activated during my work on the package, and forgotten to disable. It was launched with the minimal security options (root login allowed, password allowed, no ban, ...)
So, during monthes, I have been connecting to various public wifi, ... with that.

You could argue that a ssh server is not a blatant security hole, yet it's still something unwanted, a firewall would have prevented this security risk.

Regards,

Offline

#6 2020-01-10 15:25:48

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Firewall on clientside?

I do agree with Trilby, if there are no outside services running a wall would be unnecessary.
But, it really depends on your network if you don't have others accessing your network a router would be sufficient.
However, if you have multiple subnets, others using these subnets it's becoming a whole different story.
Lets say you have a few subnets and all your machines are running daemons, like SSHD FI. Your routers firewall is not able to block traffic on the same subnet, between subnets they can. This is where it becomes good practice to have a firewall on each machine and define who / what has access to a service even on the same subnet and if the services are only local.
Or setup a guest only network completely isolated from your own subnets, but hey what the fun in that;)
Personally I run a router / firewall and I have a firewall on each machine running an accessible service, which means every machine on my network has it's own firewall, even if it's only RPI..

Offline

#7 2020-01-10 16:19:53

Simaryp
Member
Registered: 2018-04-28
Posts: 141

Re: Firewall on clientside?

Oh man, I will try this outand check on the machines which ports are opened.

At least for the laptops it might be a good idea + I get experience with nftables. I am planning to set up a router and I am still undecisioned between pf/opensense and linux. Maybe fiddling with nftables helps with that.

@qinohe So you run a firewall on all servers and the clients? If I don't forget anything I would guess currently my NAS, my HTPC and a Raspberry Pi are running services. Currently I only have a guest VLAN from my router, but I want to seperate stuff with vlans and the devices inside the vlans should communicate anyway with each other. So wouldn't an extra firewall then be useless on the servers?

Offline

#8 2020-01-10 16:32:27

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Firewall on clientside?

I run OPNsense, beautiful project I must say, though there's probably nothing wrong with PFsense too. It's nice they both exist.
Yes I run a firewall on all my 'clients' too because all my clients are running remote services too..
And really I had a firewall on all my machines before I ran PFsense and afterwards OPNsense and I just keep on doing it the way I did it before that..
You can go as far as you wish of course though, common sense is a thing too. If I run a machine without remote services(it happens sometimes) I then don't run a firewall on it.

Offline

#9 2020-01-12 08:02:39

Simaryp
Member
Registered: 2018-04-28
Posts: 141

Re: Firewall on clientside?

I checked my Laptop (and I guess the Laptop of my wife should behave the same as it has even less software installed) and the only Port I see is TCP 631 for IPP. This seems to be related to CUPS and if I understood right only shows up if one scans the machine as localhost.

I also scanned some other devices like my HTPC running LibreELEC and my Synology NAS and found several Ports open there, eg the HTPC:

[jacob@limob ~]$ nmap 192.168.199.11
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 22:04 CET
Nmap scan report for 192.168.199.11
Host is up (0.0025s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

So 22, 139, and 445 are clear for me. Thing that makes me wonder is 111 and that some ports I thought to find are not present. E.g. there is a TVHeadend Server running on the machine that is listening on port 9981.

So this machine is in my LAN. Once I build my router and set up everything it goes into a VLAN. I think I can also disable SMB on that machine. And if I set up my new server it also will not run the TVH server anymore. But maybe it's a good example as how it is right now. How would you configure a firewall on that machine in order to have the services still working for other clients and increase protection?

I guess it would be something like a rule that default drops all packages and then a rule for each port that allows traffic from an IP range or something like that.

And if I want to secure my laptops anyway to not run in situations like mentioned by @JeanLucJ, I would only create a rule to drop any traffic on all ports? But that would stop my laptop from accessing any packets, wouldn't it?

Last edited by Simaryp (2020-01-12 08:19:23)

Offline

#10 2020-01-12 11:51:21

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: Firewall on clientside?

Yes, you need to differentiate between incoming packets you asked for and unsolicited incoming packets.

Check the examples on https://wiki.archlinux.org/index.php/Nftables#Examples to see how that can be done.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#11 2020-01-12 14:50:12

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Firewall on clientside?

Lone_Wolf actually said it all, but Just as an addition, let's say you build a firewall like OPNsense, you'll soon find out it blocks everything by default, unless you create default allow any rule(which of course you don't) you need to create a rule for every service(port)  even if only opening only websites in your browser or want to receive mail. On your client side you only need a firewall if you run services like SSHD or IPP etc.
Wrap you're head around the concept and you'll soon figure out how things work. We can show you the door, you're the one that has to walk trough it wink (Morpheus-theMatrix)

Offline

#12 2020-01-12 14:59:34

Simaryp
Member
Registered: 2018-04-28
Posts: 141

Re: Firewall on clientside?

Thanks for the hints, I will walk through the door.
As a router I think I will start with opnsense or pfsense first. Running a debian for it, is maybe a bit out of my league at the moment. But maybe before that I might start playing around with IPS. But first things first.

Offline

#13 2020-01-12 15:14:25

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Firewall on clientside?

I don't think OPNsense will run on Debian it runs on BSD(hardened) if it would ever work on Debian it would work on Debian-kFreeBSD only, you'll need to create your own port I think, if even possible I didn't investigate.
You shouldn't overdo it, start with firewalls and after that IDS/IPS, which is a whole different cake, unless you have time on your side of course.

Offline

#14 2020-01-12 15:21:18

Simaryp
Member
Registered: 2018-04-28
Posts: 141

Re: Firewall on clientside?

I think you got me wrong. I was talking about using a Debian installation as router instead of *sense. And yes thats what I meant. I want to first set up everything with plain firewall VLANs etc. and once it's done and I have no other things to do I might take a glance at IPS. I saw some video about suricata and that looked hellish complicated because of the trizillions of options and configuration possibillities, but I think I don't have a strong need for this.

Offline

#15 2020-01-12 15:28:08

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Firewall on clientside?

Ah, sorry for misreading. Yes, things like Suricata or Snort can be hell.. I run Suricata right now(it's default on OPNsense) but I much more appreciate Snort and I understand it a whole lot better then the former, but that's just the way it is. Good luck with that;)

Last edited by qinohe (2020-01-12 15:34:48)

Offline

Board footer

Powered by FluxBB