50 LXF260 March 2020 http://www.linuxformat.com
he phrase “Linux doesn’t need a
firewall” is commonly voiced.
And it’s true, in the sense that
your desktop distribution will
work just fine without one. The same is true
for Windows, up to a point, yet it still ships
with one enabled by default. And any
hardened user of the Redmond-ian OS
would frown at you if you turned it off
without good reason. Why? Because it takes
away a layer of security that probably
wasn’t doing any harm in the first place.
The main difference, and the reason Linux
users get away with no firewall, is that a
standard desktop install isn’t running many
services. So even if someone you didn’t trust
could contact your machine, there are no
listening ports to connect to. On Windows, a
standard install will have at least file and
printer-sharing (SMB, NetBIOS) services
listening, and probably much more. There’s
nothing inherently wrong with this – those
services are firewalled after all – but even if
they weren’t, many of them (by default) are
only listening on the LAN, or even the local
loopback address. However, if something
went wrong and for some reason the file-
sharing service started listening on the
0.0.0.0 (all interfaces) address, without a
firewall we’d be living dangerously. Not only
could attackers see our shares, but they
could leverage an exploit against the service.
Here we’ll discuss the ins and outs of
filtering packets with iptables, nftables and
the simpler ufw. We’ll dispel myths about the
protections offered by home routers, and
we’ll show you how to set up a simple firewall
that doesn’t get in your way, doesn’t require
any command-line jargon and will make your
Linux install just that little bit safer.
T
Protect yourself from whatever is the packet-based
equivalent of fire with Jonni Bidwell’s firewall primer.
EXPLODING
F IRE WA L L S
50 LXF260March 2020 5550March 213023
hephrase “Linux doesn’t need a
firewall” is commonly voiced.
And it’s true, in the sense that
your desktop distribution will
workjustfinewithout one. The same is true
for Windows, up to a point, yet it still ships
with one enabled by default. And any
hardened user of the Redmond-ian OS
would frown at you if you turned it off
without good reason. Why? Because it takes
awayalayerofsecuritythatprobably
wasn’tdoinganyharminthefirstplace.
Themaindifference,andthereasonLinux
usersgetawaywithnofirewall,isthata
standarddesktopinstallisn’trunningmany
services.Soevenifsomeoneyoudidn’ttrust
couldcontactyourmachine,thereareno
listeningportstoconnectto.OnWindows,a
standardinstallwillhaveatleastfileand
printer-sharing(SMB,NetBIOS)services
listening,andprobablymuchmore.There’s
nothinginherentlywrongwiththis–those
servicesarefirewalledafterall–butevenif
theyweren’t,manyofthem(bydefault)are
onlylisteningontheLAN,oreventhelocal
loopbackaddress.However,ifsomething
wentwrongandforsomereasonthefile-
sharingservicestartedlisteningonthe
0.0.0.0(allinterfaces)address,withouta
firewallwe’dbelivingdangerously.Notonly
couldattackersseeourshares,butthey
couldleverageanexploitagainsttheservice.
Herewe’lldiscusstheinsandoutsof
filteringpacketswithiptables,nftablesand
thesimplerufw.We’lldispelmythsaboutthe
protectionsofferedbyhomerouters,and
we’llshowyouhowtosetupasimplefirewall
thatdoesn’tgetinyourway,doesn’trequire
anycommand-linejargonandwillmakeyour
Linuxinstalljustthatlittlebitsafer.
T
Protectyourselffromwhateveristhe packet-based
equivalentoffirewithJonni Bidwell’sfirewallprimer.
EXPLODING
F IRE WA L L S