Firewalls: what SHOULD I block?
Firewalls: what SHOULD I block?
Hey there folks,
I'm trying to figure out how to configure my UFW, and I'm just not sure where to start. What can I do to see the intetnet traffic from individual apps so I can know what I might want to block? This is just my personal computer and I'm a total newbie to configuring firewalls so I'm just not sure how to go about it. Most online guides seem to assume one already knows what they want to block but I don't even know how/where to monitor local traffic to figure out what I can/should consider blocking.
You're viewing a single thread.
You shouldn't be touching it, honestly. There's a firewall at your router. It should be responsible for blocking incoming traffic. Firewalls on individual machines are for servers where you know exactly what's going in and out. I don't have a firewall on my desktop or laptop.
You will spend the best years of your life chasing random network connections if you block everything by default.
This is good sane advise. I think a lot of people here don't understand networking
You don't need a firewall on a typical desktop computer. You only need them on routers and servers.
That is because your personal computer is not actually on the internet. It is on a local network (LAN) and it talks only to your router. The router is the computer connected to the internet, and it has a firewall.
The question highlights a classic knowledge gap about networking that IMO should be better addressed. I was like OP once, and panicking about it pointlessly.
This is the correct answer!
OP says they are talking "just my personal computer" and yet people here are responding as if is a sysadmin running a website.
I don't have a firewall on my desktop or laptop
you are brave to use your laptop that way. or is it used as a stationary device?
but yes it is useful at home if you live with people who you don't trust to be managing their computer safely
you are brave to use your laptop that way
why? I don't connect it to untrusted networks
run
sudo ss -tulpn, and have a look at the processes and their privileges listening for incoming connections. If one of them has a vulnerability, through which a third party can make that software do things it was not intended for.. that's pretty bad.
This can most easily happen with software whose developers are underresouced/careless/stubborn.A recent case of that happening: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
Tl;Dr, remote code execution vulnerability in software that most often runs as root, automatically.You don't understand local host. Services listen on 127.0.0.1 which is a local only address. You can only connect to it locally
who speaks about localhost? out of 21 active ports on my machine, only 3 is only listening on localhost. dhclient, avahi-daemon, syncthing, kdeconnect.. cups-browsed did not listen only on localhost either
I understand your point but I reiterate that I don't connect to unsafe networks. If someone has remote code execution on a device on my side of the network then they are also inside my apartment and I'd be more worried about that.