I need help configuring a firewall.

nadichamp · 2023-07-31 22:42:41

I recently set up an arch system for my home computer and need help setting up a firewall(I am new to networking so any guidance is much appreciated.) What i need it to do is: block .zip and other malicious domains and help protect me from exposing my system to attacks.

mpan · 2023-08-01 02:02:03

For firewall you may see ufw.

The other part of the question, about domains, makes no sense. .zip is not a malicious TLD and there is no such thing as one. You might have fallen victim to some misinformation or ignorant/extreme opinion. Which I mention, because 3/4 of security is understanding the threats.

nadichamp · 2023-08-01 03:18:07

The other part of the question, about domains, makes no sense. .zip is not a malicious TLD and there is no such thing as one. You might have fallen victim to some misinformation or ignorant/extreme opinion. Which I mention, because 3/4 of security is understanding the threats.

.zip may not be a malicious TLD, however most of the websites that use them are(and i am prone to not fully examining a URL when pressing a link(yeah i know not good practice).) and I can always make an exception to that rule if needed.

mpan · 2023-08-01 07:44:56

A concern is being expressed regarding .zip and .mov TLDs being used in a kind of an attack, which would allow adversaries gain links in content not being under their control.⁽¹⁾ This is a vulnerability in software. One that requires a preexisting condition⁽²⁾ to even happen and must be introduced into software by its developers.⁽³⁾ This is a warning about adding such a vulnerability in one’s programs.

It does not indicate the TLDs are in any way malicious or high risk. If you click a malicious link, the domain it leads to is unimportant. Whether it’s .zip, .info or .com does not change a thing. The concern is about developers inadvertently updating a feature/bug in their software, which would allow adversaries to inject links.

The issue is not new either: it’s 22 years old and was first observed with .museum and .info TLDs. With .zip and .mov it just has a potential to happen at a much greater scale,⁽⁴⁾ because of how frequent the attackable character sequences happen in content. It also receives much more coverage due to how reporting on vulnerabilities changed in the past two decades.

There is a potential for large scale attacks, if developers do ignore the risk and introduce the vulnerability in their software. Because of that, from public security point of view it may be desirable to temporarily introduce warnings, if it’s detected a person follows a link to a domain in .mov or .zip. But that only comes as a safety net, after they already use much more important features (like using browser’s built-in malware protection). And it must be deployed carefully. For the same reason why it is harmful, if people start arbitrarily blocking some TLDs on their machines due to some weird, contorted, exaggerated perception of the situation: that hurts a perfectly normal technology and people, who use it.

____
⁽¹⁾ Including preexisting content, if it’s presentation is being regenerated — e.g. on fora.
⁽²⁾ Which is I see as a bug, but some software vendors consider it a feature.
⁽³⁾ In some cases it may be introduced by not monitoring the supply chain, if the upstream dependencies developers create that vulnerability.
⁽⁴⁾ And let me underline that: the scale is much, much larger.

Last edited by mpan (2023-08-01 07:48:23)

Koatao · 2023-08-01 09:56:05

Hello,

Even though I agree with @mpan on the fact that blocking some TLDs will not result in a significant increase of your endpoint's security, I don't see why @nadichamp can not do it. After all, the endpoint is his/her as the network. @nadichamp can do whatever she/he wants on it, including blocking without any reason random domain or IP.

I would emphases on the fact that blocking domain never really did the trick. And you can not rely only on listing everything that is bad for blocking. It requires at least daily commitment to cyber threat intelligence (CTI) feeds to do so. A lot of effort for a minimal impact. Most of those that do it rely on automated tasks that reads CTI feeds and block accordingly to newly found threats.

As for the topic main interrogation which is how to do that with Netfilter (which ufw is a front-end of) ? Well, short answer is you can not.

The best way to block a domain is to use a web proxy (https://wiki.archlinux.org/title/Security#Proxies).
A popular free web proxy for such application is squid (https://wiki.archlinux.org/title/Squid).

Last edited by Koatao (2023-08-01 11:25:22)

mpan · 2023-08-01 10:30:31

Koatao wrote:

I don't why @nadichamp can not do it. After all, the endpoint is his/her as the network. @nadichamp can do whatever she/he wants on it, including blocking without any reason random domain or IP.

mpan wrote:

(…) that hurts a perfectly normal technology and people, who use it.

Note, that this does not apply to blocking specific domains, based on lists of recognized threats. And that is likely already built into the browser,⁽¹⁾ so there is no need for proxies.⁽²⁾ Alternatively DNS sinkholes perform equivalent function (e.g. Pi-hole), if fed the relevant blocklists. But in this scenario you must configure your browser properly to ensure it uses the sinkholing resolver: currently many browsers will use their own resolution often DoH, not the system one.

This is different from blanket blocking entire categories, which was the subject of my comment. In this case actual threats are being targeted.

____
⁽¹⁾ You may need to check in preferences, if it’s enabled.
⁽²⁾ A proxy may be a better option regarding privacy (Safe Browsing requires interaction with Alphabet), but in this case the next option — DNS sinkholing — is worth considering first.

Last edited by mpan (2023-08-01 10:51:04)

nadichamp · 2023-08-01 16:36:21

Thank you everybody for replying to this post and correcting my ignorance about .zip domains and what i should do instead, it really helps.

Arch Linux

#1 2023-07-31 22:42:41

I need help configuring a firewall.

#2 2023-08-01 02:02:03

Re: I need help configuring a firewall.

#3 2023-08-01 03:18:07

Re: I need help configuring a firewall.

#4 2023-08-01 07:44:56

Re: I need help configuring a firewall.

#5 2023-08-01 09:56:05

Re: I need help configuring a firewall.

#6 2023-08-01 10:30:31

Re: I need help configuring a firewall.

#7 2023-08-01 16:36:21

Re: I need help configuring a firewall.

Board footer