Author Topic: Firewall ! is there any need for one (Desktop @ Home)  (Read 18917 times)

0 Members and 1 Guest are viewing this topic.

Offline munda

  • Neuling
  • *
  • Posts: 43
  • Branch: Stable
  • Desktop: Openbox
  • GPU Card: ATI 3000
  • GPU driver: Free
  • Kernel: Latest
  • Skill: Novice
Firewall ! is there any need for one (Desktop @ Home)
« on: 13. September 2013, 15:21:51 »
Hi
I am just curious and would like to know whether is there a serious requirement of firewall in desktops for Browsing/Torrents/chat.
No flash/ no java--everything up2date
i have iptables setup (removed ufw) in my pc and  currently having dual thoughts to keep it or not.
Dont know why but everyone knows GNU/Linux is way secured than other OS's....

Offline yukon2508

  • Vollwertiges Mitglied
  • ***
  • Posts: 148
  • Branch: Arch
  • Desktop: openbox
  • GPU Card: nVidia
  • GPU driver: non-free
  • Kernel: newest
  • Skill: Intermediate
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #1 on: 13. September 2013, 17:39:21 »
yep, for what if you don't run a server. paranoia, that we have today. if nsa or somebody want they can read the spam in my email acount lol.  just kidding, for me it only make things slow and i don't care. i have my important files on my usb disk and nothing in my browser-cache or on my comp, just for surfing and when i have to do things i turn the internet connection off

Offline yukon2508

  • Vollwertiges Mitglied
  • ***
  • Posts: 148
  • Branch: Arch
  • Desktop: openbox
  • GPU Card: nVidia
  • GPU driver: non-free
  • Kernel: newest
  • Skill: Intermediate
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #2 on: 13. September 2013, 17:43:01 »
but before all people are screaming, to have a firewall is a good thing :-) i would recomend it

Offline ruziel

  • Held Mitglied
  • *****
  • Posts: 2893
  • Those who know, laugh.
    • Coffee & Manjaro
  • Branch: Stable
  • Desktop: Xfce
  • Kernel: 4.4 / 4.9
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #3 on: 13. September 2013, 17:52:27 »
The home router will probably have a firewall. I think it's worth having one if you surf on a public network etc, but these days, Java probably presents far more of a security risk than not having a firewall  ;)
"There is no complete theory of anything." (Robert Anton Wilson)

Offline thundersqueak

  • Held Mitglied
  • *****
  • Posts: 1755
  • everyone dies
  • Branch: all of em
  • Desktop: gnome
  • GPU Card: nvidia 9300
  • GPU driver: non-free
  • Kernel: most,if not all
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #4 on: 13. September 2013, 17:54:57 »
@yukonnot sure i agree
 i don't use or really need a firewall haven't done for years since switching to linux.What would i need one for? my ISP should and does run firewalls on its adsl so the big bad world has to try pretty hard to find/touch me,i have nothing of value on my machine,i don't give a hoot for conspiracy theories really the nsa CAN read my mail and if they want a copy of my hard drive i will send one,i dont live in/under an opressive regime.If anyone can give some more reasons why i would need a firewall please let me know,i think this is a useful thread.
"Why is it that every grubby little government i pass has the impertinence to assume that i can spare the time and energy necessary for their destruction?"

Offline munda

  • Neuling
  • *
  • Posts: 43
  • Branch: Stable
  • Desktop: Openbox
  • GPU Card: ATI 3000
  • GPU driver: Free
  • Kernel: Latest
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #5 on: 14. September 2013, 03:38:16 »
@ thundersqueak
you said it right mate....
but have a look at this link http://www.insanitybit.com/2013/04/10/router-security-linksys-vulns-exposed/   
this can be a concern regarding any ADSL modem.

Offline excalibur1234

  • Global Moderator
  • *****
  • Posts: 2508
  • Branch: unstable
  • Desktop: net-minimal + LXQt
  • GPU driver: video-nouveau
  • Kernel: 4.6
  • Skill: Intermediate
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #6 on: 14. September 2013, 04:13:35 »
i don't give a hoot for conspiracy theories really the nsa CAN read my mail and if they want a copy of my hard drive i will send one,i dont live in/under an opressive regime.
let's talk again in 20 years when an ex-friend of yours said something against the us government and was tortured in a "secret" prison in egypt. then, you will be imprisoned for conspiracy and cannot proof your innocence...
no, seriously. with an attitude like yours, you give all power over you to "government/nsa officials" and you cannot foresee their intentions.

if you do not understand my argument, i wish you good luck for the rest of your life. you might need it.
« Last Edit: 14. September 2013, 04:16:08 by excalibur1234 »
Need more information? Search here:   Manjaro Forum   |   Manjaro Wiki   |   Arch Wiki

Offline handy

  • Global Moderator
  • *****
  • Posts: 5738
  • Desktop: Openbox 3.6.1-3 & Worker :)
  • GPU Card: intel...
  • GPU driver: open-source
  • Kernel: OpenBSD
  • Skill: Intermediate
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #7 on: 14. September 2013, 04:58:11 »
It is easy to set up gufw. If a firewall on my computer serves me just once in the rest of my computing life, then as far as I'm concerned it is worth running it.

I don't have a need to know that it has helped me, I do like having it there & knowing that it can.

When I was running IPCop, I would look at the logs occasionally, & it was amazing to see how many pings it had bounced. Admittedly, when running IPCop you have to run your ADSL Modem/router in bridge mode, so most (if not all) of those pings would have usually been stopped by the router's inbuilt firewall. Still, when you see the number of those knocking on random IP's looking for an unprotected one it is a real eye opener.

I like having a backup firewall that can give me another layer of protection against anything that does get around my router's firewall. I use my computer for internet banking & other things that would leave me vulnerable if a key logger or something of its ilk was installed on my machine.

As far as I'm concerned, that well worn attitude to computer security that goes something along the lines of:

I've got nothing to hide on my computer, Or, in my web surfing habits, so its OK by me for anyone who wants to look, they can just get bored doing so. & the old - you conspiracy theorists are just being paranoid.

That attitude shows a blissful ignorance to what can be done these days to large databases showing personal choices of whatever combination of chosen demographics, in whichever location(s), with sophisticated software. (I've now incorporating browser security into this post)

Marketroids of every type are using this kind of data to manipulate everyone they can in the various forms of media available to the world. Governments are obviously involved, as can be seen by the 100's of billions of dollars that get spent on it.

As an example, marketroids aim at children of all ages, via education systems & the media, to implant whatever is desired in that part of the world by those with the power to implement their desires. Be it the Roman Catholic (or other religion), Rupert Murdoch, Monsanto, Amatil or the governments of Country/State. Influencing the thought of others is a critical part of their existence.

Certain countries have national firewalls to prevent their populations from accessing ideas that are somehow counter to the dominant regime, religion. These people do not want the power & control that they have over the people's minds diluted by new ideas.

The newly elected right wing government in Oz, says it will implement national internet censorship here! Hopefully we can stop that.

Anyone who thinks that thought control does not exist in the West, needs to do some research.

I don't think it is too hard to take a few precautions in an effort to protect my privacy from a world with an ever growing number of those that would take unfair advantage of me & my personal data.

So, yes, call me paranoid if you like...  ::)
The ultimate tyranny in a society is not control
by martial law. It is control by the psychological
manipulation of consciousness, through which reality
is defined so that those who exist within do not even
realize that they are in prison.
  —  Barbara Marciniak

Offline rufus

  • Neuling
  • *
  • Posts: 10
  • Branch: stable
  • Desktop: KDE +
  • GPU Card: ATI
  • GPU driver: free
  • Kernel: x86_64 GNU/Linux
  • Skill: Advanced
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #8 on: 15. September 2013, 06:22:33 »
 As was mentioned firewalls are more of a must for servers. Most routers these days already give such protection out of the box albeit minimal.
 It really is easy to manage ufw, very. And linux is a learning experience so why not. The speed factor is minimal if not nil.

Offline frodouser

  • Neuling
  • *
  • Posts: 14
  • Branch: eqwh
  • Desktop: eqwh
  • GPU Card: eqwh
  • GPU driver: eqwh
  • Kernel: eqwh
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #9 on: 15. September 2013, 07:55:17 »
I always use this configuration on my desktop, laptop and one of my servers:
Make sure that you understand the basics of iptables and what port numbers mean.

Code: [Select]
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
modprobe ip_conntrack
NIC="eth0" 
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i ${NIC} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
/sbin/iptables -A INPUT -i ${NIC} -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A INPUT -i ${NIC} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
/sbin/iptables -A INPUT -i ${NIC} -f -j DROP 
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables  -A INPUT -i ${NIC} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --destination-port 22 -j REJECT
/sbin/iptables -A OUTPUT -p tcp --sport 22 -j REJECT
# Whenever you change the ssh port make sure to uncomment the line below and change the port
# iptables -I INPUT 4 -p tcp -d 192.168.10.30 --dport 3789 -j ACCEPT
#If you only need remote access from one IP address (say from work to your home server), then consider filtering connections at your firewall by either adding a firewall rule on your router or in iptables to limit access on port 3789 to only that specific IP address. For example, in iptables this could be achieved with the following type of rule:
# iptables -A INPUT -p tcp -s 72.232.194.162 --dport 3789 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A FORWARD -j LOG
/sbin/iptables -A INPUT -j DROP
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 64000 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 48000 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 10 > /proc/sys/net/ipv4/ipfrag_time
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians
echo 10 > /proc/sys/net/ipv4/neigh/eth0/locktime
echo 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 50 > /proc/sys/net/ipv4/neigh/eth0/gc_stale_time
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 5 > /proc/sys/net/ipv4/igmp_max_memberships
echo 2 > /proc/sys/net/ipv4/igmp_max_msf
echo 1024 > /proc/sys/net/ipv4/tcp_max_orphans
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/route/redirect_number
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_rmem
echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_wmem
echo 1 > /proc/sys/net/ipv4/tcp_ecn
echo "30000 60000" > /proc/sys/net/ipv4/ip_local_port_range
service iptables save
service iptables restart
exit 0

Most script kiddies won't be able to bring down your computer or server by pings because this configuration will not going to allow pings at low level, also as for the nmap - your ports will be filtered.
« Last Edit: 15. September 2013, 07:57:33 by frodouser »

Offline oriolfa

  • Vollwertiges Mitglied
  • ***
  • Posts: 131
  • Branch: testing
  • Desktop: Openbox
  • GPU Card: nVidia Radeon
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #10 on: 15. September 2013, 08:29:47 »
One of the things that I love from linux is not having to worry about firewalls and antivirus. Maybe those ones who mantain a server or have others reasons need it, but not for a normal user (at least I don't care about).

If you want to try the security on your desktop, go to the shields up test at https://www.grc.com/x/ne.dll?rh1dkyd2. My manjaro system out of the box have no security hole in the "All services ports" test. :)


Offline eskaini

  • Security Team
  • *****
  • Posts: 10842
  • I eat deleted accounts
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #11 on: 15. September 2013, 08:30:38 »
In today's world- is there anything as "too much" protection ?

Offline oriolfa

  • Vollwertiges Mitglied
  • ***
  • Posts: 131
  • Branch: testing
  • Desktop: Openbox
  • GPU Card: nVidia Radeon
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #12 on: 15. September 2013, 08:48:54 »
In today's world- is there anything as "too much" protection ?

Sure not. I've checked again at https://www.grc.com/x/ne.dll?rh1dkyd2 and there is another test to check your router (called instant UPnP test). My router passes the test without revealing its existence, so now I'm thinking that my desktop passed the test thanks to the router.

Anyway, I'm sure that securing your system can leave you to paranoia. I prefer to put my efforts in securing my wifi network to difficult that someone get access to my network. I think that if a good hacker wants to enter my desktop there is not so much I can do to avoid it, but I want to believe that they prefer to atack more important people or companies.

At last, IMHO linux offers you more protection than windows because it's difficult to atack the core of the system (sure it's possible too), so less protection needed.

If someone exposes real reasons on why a firewall is highly recommended in a linux system, I'll be the first in setting it up in my desktop.

Offline eskaini

  • Security Team
  • *****
  • Posts: 10842
  • I eat deleted accounts
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #13 on: 15. September 2013, 09:30:58 »
You have another line of defence should the firewall in your router fail.Your router's software is closed source. Do you know if the NSA planted some backdoors in it ?

Offline frodouser

  • Neuling
  • *
  • Posts: 14
  • Branch: eqwh
  • Desktop: eqwh
  • GPU Card: eqwh
  • GPU driver: eqwh
  • Kernel: eqwh
  • Skill: Novice
Re: Firewall ! is there any need for one (Desktop @ Home)
« Reply #14 on: 15. September 2013, 10:08:28 »
You have another line of defence should the firewall in your router fail.Your router's software is closed source. Do you know if the NSA planted some backdoors in it ?

This reminds me to the following information --> http://forums.cnet.com/7726-6132_102-5436975.html

Additional line of defense is always needed and it's not excess. I was talking the same words like most of you, since Snowden spoke out about the NSA programs I closed every account that I got in those websites and deployed 1 server that filters my traffic (pfsense). The information and all of my family pictures are more important than every "virtual" friend that I had in those websites.