Linux Format - UK (2020-03)

50 LXF260 March 2020 http://www.linuxformat.com

he phrase “Linux doesn’t need a

firewall” is commonly voiced.

And it’s true, in the sense that

your desktop distribution will

work just fine without one. The same is true

for Windows, up to a point, yet it still ships

with one enabled by default. And any

hardened user of the Redmond-ian OS

would frown at you if you turned it off

without good reason. Why? Because it takes

away a layer of security that probably

wasn’t doing any harm in the first place.

The main difference, and the reason Linux

users get away with no firewall, is that a

standard desktop install isn’t running many

services. So even if someone you didn’t trust

could contact your machine, there are no

listening ports to connect to. On Windows, a

standard install will have at least file and

printer-sharing (SMB, NetBIOS) services

listening, and probably much more. There’s

nothing inherently wrong with this – those

services are firewalled after all – but even if

they weren’t, many of them (by default) are

only listening on the LAN, or even the local

loopback address. However, if something

went wrong and for some reason the file-

sharing service started listening on the

0.0.0.0 (all interfaces) address, without a

firewall we’d be living dangerously. Not only

could attackers see our shares, but they

could leverage an exploit against the service.

Here we’ll discuss the ins and outs of

filtering packets with iptables, nftables and

the simpler ufw. We’ll dispel myths about the

protections offered by home routers, and

we’ll show you how to set up a simple firewall

that doesn’t get in your way, doesn’t require

any command-line jargon and will make your

Linux install just that little bit safer.

T

Protect yourself from whatever is the packet-based

equivalent of fire with Jonni Bidwell’s firewall primer.

EXPLODING

F IRE WA L L S

50 LXF260March 2020 5550March 213023

hephrase “Linux doesn’t need a

firewall” is commonly voiced.

And it’s true, in the sense that

your desktop distribution will

workjustfinewithout one. The same is true

for Windows, up to a point, yet it still ships

with one enabled by default. And any

hardened user of the Redmond-ian OS

would frown at you if you turned it off

without good reason. Why? Because it takes

awayalayerofsecuritythatprobably

wasn’tdoinganyharminthefirstplace.

Themaindifference,andthereasonLinux

usersgetawaywithnofirewall,isthata

standarddesktopinstallisn’trunningmany

services.Soevenifsomeoneyoudidn’ttrust

couldcontactyourmachine,thereareno

listeningportstoconnectto.OnWindows,a

standardinstallwillhaveatleastfileand

printer-sharing(SMB,NetBIOS)services

listening,andprobablymuchmore.There’s

nothinginherentlywrongwiththis–those

servicesarefirewalledafterall–butevenif

theyweren’t,manyofthem(bydefault)are

onlylisteningontheLAN,oreventhelocal

loopbackaddress.However,ifsomething

wentwrongandforsomereasonthefile-

sharingservicestartedlisteningonthe

0.0.0.0(allinterfaces)address,withouta

firewallwe’dbelivingdangerously.Notonly

couldattackersseeourshares,butthey

couldleverageanexploitagainsttheservice.

Herewe’lldiscusstheinsandoutsof

filteringpacketswithiptables,nftablesand

thesimplerufw.We’lldispelmythsaboutthe

protectionsofferedbyhomerouters,and

we’llshowyouhowtosetupasimplefirewall

thatdoesn’tgetinyourway,doesn’trequire

anycommand-linejargonandwillmakeyour

Linuxinstalljustthatlittlebitsafer.

T

Protectyourselffromwhateveristhe packet-based

equivalentoffirewithJonni Bidwell’sfirewallprimer.

EXPLODING

F IRE WA L L S