Is it worth to set up a firewall for PC?

Kernels & Hardware, configuring network, installing services

Is it worth to set up a firewall for PC?

Postby cooleo » 2020-04-09 02:24

It looks like most malwares come through the web sites we visted,
and hackers wont even bother to attack a pc.

And, is there anyway to "block" the malware from web sites?
Last edited by cooleo on 2020-04-09 21:07, edited 3 times in total.
cooleo
 
Posts: 28
Joined: 2020-04-07 05:28

Re: Is it worth to set up a firewall for PC?

Postby pylkko » 2020-04-09 05:03

In my view, it really depends on how your computer is connected to the internet. If it is behind a router/modem/whatever that has a firewall, then it might be safe. But since many computers are laptops or other mobile devices that you may move to other networks, then it makes sense to have a firewall on the machine itself (in addition). Hackers do still attack personal machines when they can make money off it, or when they are nation states (you should really read about the revelations that Snowden made). The most common way to attack machines nowadays is over the internet and there are multiple motivators for this (usually money) you should read:
https://en.wikipedia.org/wiki/Ransomware
https://en.wikipedia.org/wiki/Man-in-the-browser

So, yes personal computers can be attacked if you visit the wrong sites in multiple ways often so that the criminals get personal information or can spam the user with adds or ask for ransom.

There are many ways to protect yourself on many levels. Firewall, hosts file blacklisting, DNS servers, personal DNS sinkhole, add blockers on browsers, safe browsers etc) each of these is their own topic you need to read about and depends on what kind of network you have.
User avatar
pylkko
 
Posts: 1793
Joined: 2014-11-06 19:02

Re: Is it worth to set up a firewall for PC?

Postby NFT5 » 2020-04-09 05:11

Ask 100 people this question and you'll get 200 different answers.

So, here's my take on it:

A firewall won't stop an attack via a visited web site. Best thing here is to subscribe to a service that prevents your browser from going to known bad sites. Firefox and Chrome both do this by default but there are add-ons that extend the capability. You can do it yourself by using the hosts file. Really, much safer to stay away from sites that are, let's say, dubious.

Almost nobody isn't under attack via email. Don't open emails that are questionable and definitely never open attachments from people/companies/organisations that you don't know. Check emails that appear to be from places that you do know e.g. banks, Ebay, Paypal etc. You do have a bit of a head start, running Linux, but no 100% guarantees. Again, a firewall won't help here, at least in terms of letting the malware in. It may help in preventing the malware from "phoning home", but by then it's too late.

Do you connect to the internet via a router? Almost all have a firewall which is quite effective and most can be configured for higher levels of protection and will help with your phone, tablet and any IoT devices. I configure my router firewall for extra security. That can be a pain if, for example, I want to use a specific port to access my hosted websites. In such cases I can temporarily disable or reduce. If you're accessing the internet via public means or by wi-fi then a firewall, and probably a VPN, are very important. I have both on my notebook since that's what I use when travelling. At home or in my shop they're not so necessary.

Unless you've done something to really annoy a hacker then you're probably safe from DoS attack.

Malware on USB drives is different again. Don't just plug in that thumb drive from your friend with the cool software on it. It's just like real viruses - social distancing is important and will help to reduce the spread.

All the above relates to desktop type use. If you have a server with direct internet access then it's a very different ball game. Good security, including a firewall, is essential in such a case.
User avatar
NFT5
 
Posts: 403
Joined: 2014-10-10 11:38
Location: Canberra, Australia

Re: Is it worth to set up a firewall for PC?

Postby Head_on_a_Stick » 2020-04-09 12:01

There seems to be some general confusion as to what a firewall actually does in a GNU/Linux system.

A firewall will only offer protection if any services are listening to ports, find these with
Code: Select all
# ss -lutpn

https://packages.debian.org/buster/iproute2

Generally speaking, you only need a firewall if you're running some sort of sever.

Any computer connected to a router is behind the hardware firewall provided by NAT so even the router's own software firewall isn't really needed.

And no firewall will protect against browser-based malware.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12744
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is it worth to set up a firewall for PC?

Postby cooleo » 2020-04-09 21:13

A firewall will only offer protection if any services are listening to ports, find these with
--Is there any connection without services-listening-to-port?

And no firewall will protect against browser-based malware.[/quote]
--So,Anyway to block this "hole"?
Last edited by cooleo on 2020-04-11 02:01, edited 1 time in total.
cooleo
 
Posts: 28
Joined: 2020-04-07 05:28

Re: Is it worth to set up a firewall for PC?

Postby Head_on_a_Stick » 2020-04-10 10:14

cooleo wrote:--Is there any connection without services-listening-to-port?

Yes, browsers work just fine without opening any ports.

cooleo wrote:--So,Anyway to block this "hole"?

Disable javascript in your browser. Allowing random websites to run their shitty code on your machine is almost always a bad idea.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12744
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is it worth to set up a firewall for PC?

Postby pylkko » 2020-04-10 10:20

After you disable javascript expect about 75% of the internet to not work :D
User avatar
pylkko
 
Posts: 1793
Joined: 2014-11-06 19:02

Re: Is it worth to set up a firewall for PC?

Postby Head_on_a_Stick » 2020-04-10 10:23

^ Yes, I do enjoy that feature :mrgreen:
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12744
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is it worth to set up a firewall for PC?

Postby cooleo » 2020-04-11 02:05

Head_on_a_Stick wrote:
cooleo wrote:--
cooleo wrote:--So,Anyway to block this "hole"?

Disable javascript in your browser. Allowing random websites to run their shitty code on your machine is almost always a bad idea.


Will this block ALL Malwares/Spywares from web-site?
I think there are more than one langurage work with web-browsers.
cooleo
 
Posts: 28
Joined: 2020-04-07 05:28

Re: Is it worth to set up a firewall for PC?

Postby cooleo » 2020-04-11 02:18

Head_on_a_Stick wrote:
cooleo wrote:--Is there any connection without services-listening-to-port?

Yes, browsers work just fine without opening any ports.


What about 80/8080/443?
Do you mean I can "lock-down" the pc, and still get web-browser working?

"lock-down", I mean Disable-In/Out/Forward
cooleo
 
Posts: 28
Joined: 2020-04-07 05:28

Re: Is it worth to set up a firewall for PC?

Postby Nili » 2020-04-11 07:06

My browser firewall
Code: Select all
/^javascript.enable/
= false
OS: Devuan GNU/Linux 4 (chimaera/ceres)
WM: CWM

Studio Ghibli
User avatar
Nili
 
Posts: 407
Joined: 2014-04-30 14:04
Location: $HOME/♫♪

Re: Is it worth to set up a firewall for PC?

Postby Head_on_a_Stick » 2020-04-11 08:35

cooleo wrote:Will this block ALL Malwares/Spywares from web-site?

No but it will block most of them.

cooleo wrote:What about 80/8080/443?

The browser doesn't listen to those ports, this is from my machine running FF right now:
Code: Select all
empty@E485 ~ % sudo ss -tulpn
Netid    State    Recv-Q    Send-Q        Local Address:Port         Peer Address:Port   
empty@E485 ~ %

cooleo wrote:"lock-down", I mean Disable-In/Out/Forward

Use the "workstation" example rule supplied by nftables in /usr/share/doc/, that will only allow established and related connections (ie, browser traffic) and deny everything else.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12744
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is it worth to set up a firewall for PC?

Postby cooleo » 2020-04-13 02:08

Head_on_a_Stick wrote:
cooleo wrote:What about 80/8080/443?

The browser doesn't listen to those ports, this is from my machine running FF right now:
Code: Select all
empty@E485 ~ % sudo ss -tulpn
Netid    State    Recv-Q    Send-Q        Local Address:Port         Peer Address:Port   
empty@E485 ~ %

cooleo wrote:"lock-down", I mean Disable-In/Out/Forward

Use the "workstation" example rule supplied by nftables in /usr/share/doc/, that will only allow established and related connections (ie, browser traffic) and deny everything else.



How about:
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

There is not service-listning-to-ports, but really controls the traffic.
Am I right?
cooleo
 
Posts: 28
Joined: 2020-04-07 05:28

Re: Is it worth to set up a firewall for PC?

Postby cooleo » 2020-04-13 02:38

I saw one example:
# Reject broadcasts to 224.0.0.1
/sbin/iptables -A INPUT -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -d 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -s 240.0.0.0/5 -j DROP

What is 224.0.0.1? Why is it so special?
cooleo
 
Posts: 28
Joined: 2020-04-07 05:28

Re: Is it worth to set up a firewall for PC?

Postby Head_on_a_Stick » 2020-04-13 11:19

cooleo wrote:What is 224.0.0.1?

Please use a search engine before posting: https://www.iana.org/assignments/multic ... sses.xhtml

And as I told you before don't bother with iptables, it's obsolete.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12744
Joined: 2014-06-01 17:46
Location: /dev/chair

Next

Return to System configuration

Who is online

Users browsing this forum: No registered users and 15 guests

fashionable