Is a firewall necessary?

DotaLuna · 2025-08-21 09:46:34

I don't have it installed at the moment, I don't know if it's necessary or not

mithrial · 2025-08-21 09:53:53

Do you plan on opening any ports in your router? Which services are you running which should be protected by closing down ports?
What is your attack scenario?

DotaLuna · 2025-08-21 09:59:59

mithrial wrote:

Do you plan on opening any ports in your router? Which services are you running which should be protected by closing down ports?
What is your attack scenario?

I think firewalls are configured on routers now. But the problem is I'm not sure I want to still use it on Arch Linux.

mpan · 2025-08-21 10:07:18

Welcome to the forum, DotaLuna.

You can’t have it “not installed.” In Linux the firewall is built in. It can’t even be disabled, much less uninstalled. At most it may be configured to allow all traffic, which is the default on Arch.

DotaLuna · 2025-08-21 10:08:54

mpan wrote:

Welcome to the forum, DotaLuna.
You can’t have it “not installed.” In Linux the firewall is built in. It can’t even be disabled, much less uninstalled. At most it may be configured to allow all traffic, which is the default on Arch.

I got it. Thanks for the answer.

sekret · 2025-08-21 10:41:02

I'd say configuring a simple stateful firewall doesn't hurt but could give you some security benefits. Not necessary, but not bad either.

seth · 2025-08-21 12:34:28

I think firewalls are configured on routers now. But the problem is I'm not sure

Take your WAN IP from eg. https://www.whatismyip.com/ to eg. https://pentest-tools.com/network-vulne … nline-nmap and run a portscan on your own system from the outside.

DotaLuna · 2025-08-21 13:11:40

seth wrote:

I think firewalls are configured on routers now. But the problem is I'm not sure
Take your WAN IP from eg. https://www.whatismyip.com/ to eg. https:pentest-tools.com/network-vulnera … nline-nmap and run a portscan on your own system from the outside.

TCP

Ports
Top 100 ports

Detect OS
True

Detect service version
True

UDP No Results
It's stuck at 45%.

DotaLuna · 2025-08-21 13:17:04

seth wrote:

I think firewalls are configured on routers now. But the problem is I'm not sure
Take your WAN IP from eg. https://www.whatismyip.com/ to eg. https://pentest-tools.com/network-vulne … nline-nmap and run a portscan on your own system from the outside.

Ports
Top 100 ports

Detect OS
False

Detect service version
True

Protocol
UDP

seth · 2025-08-21 14:04:58

Just run the common ports (actually you just need to test the ones you're listening on, "ss -tuln") and skip os and service version detection, you dn't care about any of that.

Succulent of your garden · 2025-08-21 19:28:41

Can I ask why in the case of arch it seems that iptables is integrated in the kernel and why you can enable by default the iptables.service just using the default installation ? other distros seems to have the iptables package for kernel usage, and the iptables-service package which does install some dependencies to use iptables as a service. Why is not that the case in arch ? does the iptables as a service is just kernel iptables running with system service file on it ?

Last edited by Succulent of your garden (2025-08-21 19:29:44)

mpan · 2025-08-21 20:17:23

Succulent of your garden:
Iptables is not integrated into anything. Iptables is a set of user-space programs to control netfilter, which itself is an integral part of the kernel. In all distros, not only Arch.

File “iptables.service” is a part of iptables and iptables-nft packages. Neither of which is required by Arch directly, but transitively through iproute2 needing the xtables library.

DotaLuna:
As with all security: the threat model defines the measures needed. You didn’t define any.

You did mention, however, the router and did it in a manner suggesting a belief that the router provides protection. Routers are not security features unless intentionally configured as firewalls. Consumer-grade, ISP-supplied routers and routers merely implementing NAT in particular are never considered as such. Even if they do limit unwanted traffic.

So, if you ask about that, you probably want to set all incoming traffic to REJECT and only open ports you actually wish to use. Simple tools like ufw allow doing this easily, without having to deal with all the nftables (or iptables) details.

Testing with nmap from the outside gives assymetrical results. If it reports unwanted open ports, you know they’re open. But the opposite, not reporting anything, is less meaningful. It can’t detect any future program that opens a port, any future bug, any future change in routers’ configuration, it will not attempt (or succeed) in traversing NATs, and will not attempt to perform any actual attacks.

Succulent of your garden · 2025-08-22 00:25:22

Thank so much mpan for the answer. I get it now. But does that mean that if I don't use iptables a service, all the time the rules defined will be deleted in every boot right ? So for persistent rules for each boot the service is needed. Or at least that is what I know. Am seeing that right ?

Also I have a question of nmap scanning my ISP router. I was thinking about that many years ago, but I always believe that in somehow that could be related to trying hacking the ISP. Where I live legally back in time the hacking illegal stuff was only when someone was able to enter a network unauthorized and do something malicious, so you can nmap your router to see any open ports. But now days is in someway mandatory that you ask permission to do any kind of pen testing, no matter if you don't make something malicious. But now I just saw Seth just hey just nmap your router like it's nothing. Not sure if you are from Europe mpan, but probably Europe, USA and Asia have more restrict policies from where I live. So I'm curious about this, since in some pages like cloud providers is like: hey you can nmap any shit you want. It's very blurry to me where is the point of illegality in this matter. which is scanning ports.

I know that you are not lawyers, but I want also info about this issue from your own perspective, I will do more research here where I live until I have some valid legal answers, if I can do something like checking the ports of my router, that would be nice. Because my IT brain and hearth wants to do that checking to secure my home more.

Last edited by Succulent of your garden (2025-08-22 00:28:08)

mpan · 2025-08-22 02:04:14

Succulent of your garden wrote:

Thank so much mpan for the answer. I get it now. But does that mean that if I don't use iptables a service, all the time the rules defined will be deleted in every boot right ? So for persistent rules for each boot the service is needed. Or at least that is what I know. Am seeing that right ?

Not necessarily the iptables.service or a systemd service. But something has to add them. It may be iptables.service, but for example may be “/usr/lib/ufw/ufw-init” called from “ufw.service”.

Succulent of your garden wrote:

Also I have a question of nmap scanning my ISP router. I was thinking about that many years ago, but I always believe that in somehow that could be related to trying hacking the ISP. Where I live legally back in time the hacking illegal stuff was only when someone was able to enter a network unauthorized and do something malicious, so you can nmap your router to see any open ports. But now days is in someway mandatory that you ask permission to do any kind of pen testing, no matter if you don't make something malicious. But now I just saw Seth just hey just nmap your router like it's nothing. Not sure if you are from Europe mpan, but probably Europe, USA and Asia have more restrict policies from where I live. So I'm curious about this, since in some pages like cloud providers is like: hey you can nmap any shit you want. It's very blurry to me where is the point of illegality in this matter. which is scanning ports. (…)

I can’t give any legal opinion on that, but I never heard about anybody ever being charged or sued for scanning an address they themselves use. From technical standpoint, ISPs rarely have any means deployed for collecting information on port scanning. It’s also universally seen as impractical to investigate or report such activity either.

A good dozen of companies port-scan entire internet all the time and offer that information to their customers (Shodan to give a famous example). Perhaps hundreds do other tests that could trigger oversensitive admins. Seth proposed using a 3rd party service, which was doing this on DotaLuna’s behalf. While the service disclaims any responsibility and passes it onto the user, just imagine what level of insanity would an ISP show going after them.

I mentioned “oversensitive admins.” Port scanning itself is not an attack. Of course we had cases of attempting to portray it as such. The same way as people sued a car manufacturer for not writing in the camper car manual that the driver should not leave the cabin while driving. But this is not a view you’d find among anybody having a slightest idea about computer security.

If anything, the host performing scans may get itself on blocklists. Which I personally believe is also an overreaction and one that is harmful.

seth · 2025-08-22 07:35:44

Legal concerns aside (politicians come up with the dumbest ideas and 'm pretty sure the legal perspective during the late 200x, early 201x was that merely possessing nmap was a criminal offense here around), scanning your own gateway even by its WAN IP might cause false positives because of https://en.wikipedia.org/wiki/Network_a … airpinning

mpan · 2025-08-22 08:37:05

The status of possession of nmap is clear at least in EU member states. See Article 7 of Directive 2013/40 together with recitals 16 and 17.

Trivia: in Poland this had a quite ridiculous turn, because Sejm implemented the directive without the “intention” condition. Which meant that:

Pentesters were automatically committing a crime for merely being pentesters.
In a broader sense, the overly inclusive definition of “tools” meant that anybody could be sentenced even for possessing Firefox or running ping.

Petitions to fix that have been blatantly ignored multiple times. Around 250 people were sentenced based on that law by 2017, when Senate picked up the issue and pushed the correction through.

But instead of copying regulation’s wording, they wrote it their own way. Apparently not really understanding too much out of it, they overdid it in the other direction. It has not been tested in court so far, but now the exclusion article is overly broad. In the widest interpretation implying it’s legal to attack any system, as long as you claim you did it to secure it, then inform the target afterwards, and you don’t cause any damage. It’s goign to be an interesting show to watch, what happens the first time somebody uses that line of defense.

Last edited by mpan (2025-08-22 08:39:05)

seth · 2025-08-22 13:09:26

Trivia: "same"…
https://de.wikipedia.org/wiki/Vorbereit … und_Kritik

Succulent of your garden · 2025-08-22 13:42:09

So if I'm not understanding wrong the EU sent by mpan: Does that mean that you are living in a free nmap usage and maybe I I'm starting to live seth + mpan life in 2010 ?

Viewing the articles it says in someway that if you access the system or change some data you are doing a crime. But since nmap is just checking ports, I'm assuming that nmap is not the case right ? So in Europe you can nmpaing whatever you want in practice ?

Last edited by Succulent of your garden (2025-08-22 13:42:45)

mpan · 2025-08-22 14:06:36

seth:
If I understand correctly, “vorbereitet” limits the scope and that interpretation is confirmed by cases being dropped where no criminal intention has been found. Whereas in the Polish version before amendments, a mere possession of nmap, writing a security PoC, or obtaining a passwords dictionary was unconditionally a crime, and there was a huge risk of almost anything computer-related being a crime.

Art. 269b.
§1. Kto wytwarza, pozyskuje, zbywa lub udostępnia innym osobom urządzenia lub programy komputerowe przystosowane do popełnienia przestępstwa określonego w art. 165 §1 pkt 4, art. 267 §3, art. 268a §1 albo §2 w związku z §1, art. 269 §2 albo art. 269a, a także hasła komputerowe, kody dostępu lub inne dane umożliwiające dostęp do informacji przechowywanych w systemie komputerowym lub sieci teleinformatycznej,podlega karze pozbawienia wolności do lat 3.
§2. W razie skazania za przestępstwo określone w §1, sąd orzeka przepadek określonych w nim przedmiotów, a może orzec ich przepadek, jeżeli nie stanowiły własności sprawcy.

A less obvious consequence of §2 was the law enforcement having the right to eavesdrop on any person fitting §1 or anybody they may contact, where they did or could obtain high profit from that “crime.”⁽¹⁾ However, there is no cases known to me in which this did happen.

Succulent of your garden:
Yes, possession and use of nmap and similar tools is in itself legal in EU member states. Or should be.
____
⁽¹⁾ Art. 237. §3a KPK

Last edited by mpan (2025-08-22 14:21:26)

seth · 2025-08-22 14:31:41

The language is as ambiguous as it gets

herstellt, sich oder einem anderen verschafft, verkauft, einem anderen überlässt, verbreitet oder sonst zugänglich macht

covers any kind of development or distribution and "vorbereitet" means "prepares" - you can prepare a meal w/o any intention to make or eat it.
Typically you'd find stuff like "Wer zum Zwecke einer Straftat nach…", so there're actually established pattern in the legal lingo what made the entire situation so contentious.
Officials argued in either direction, hence the various legal cases to clarify the situation (w/ only the SC comment being a relevant verdict)

Most likely they just wanted a law then could throw around whenever they wanted and 2007-2009 it was really not clear whether you'd (theoretically, I don't think anyone expected practical enforcement against Joe Linuxuser) get in trouble for having nmap on your disk.

Succulent of your garden · 2025-08-22 15:00:37

mpan wrote:

Yes, possession and use of nmap and similar tools is in itself legal in EU member states. Or should be.

TY, glad to had made the question. Many topics and things that I didn't knew it.

Arch Linux

#1 2025-08-21 09:46:34

Is a firewall necessary?

#2 2025-08-21 09:53:53

Re: Is a firewall necessary?

#3 2025-08-21 09:59:59

Re: Is a firewall necessary?

#4 2025-08-21 10:07:18

Re: Is a firewall necessary?

#5 2025-08-21 10:08:54

Re: Is a firewall necessary?

#6 2025-08-21 10:41:02

Re: Is a firewall necessary?

#7 2025-08-21 12:34:28

Re: Is a firewall necessary?

#8 2025-08-21 13:11:40

Re: Is a firewall necessary?

#9 2025-08-21 13:17:04

Re: Is a firewall necessary?

#10 2025-08-21 14:04:58

Re: Is a firewall necessary?

#11 2025-08-21 19:28:41

Re: Is a firewall necessary?

#12 2025-08-21 20:17:23

Re: Is a firewall necessary?

#13 2025-08-22 00:25:22

Re: Is a firewall necessary?

#14 2025-08-22 02:04:14

Re: Is a firewall necessary?

#15 2025-08-22 07:35:44

Re: Is a firewall necessary?

#16 2025-08-22 08:37:05

Re: Is a firewall necessary?

#17 2025-08-22 13:09:26

Re: Is a firewall necessary?

#18 2025-08-22 13:42:09

Re: Is a firewall necessary?

#19 2025-08-22 14:06:36

Re: Is a firewall necessary?

#20 2025-08-22 14:31:41

Re: Is a firewall necessary?

#21 2025-08-22 15:00:37

Re: Is a firewall necessary?

Board footer