Is it worth to set up a firewall for PC?

[cooleo]

It looks like most malwares come through the web sites we visted,
and hackers wont even bother to attack a pc.

And, is there anyway to "block" the malware from web sites?

[pylkko]

In my view, it really depends on how your computer is connected to the internet. If it is behind a router/modem/whatever that has a firewall, then it might be safe. But since many computers are laptops or other mobile devices that you may move to other networks, then it makes sense to have a firewall on the machine itself (in addition). Hackers do still attack personal machines when they can make money off it, or when they are nation states (you should really read about the revelations that Snowden made). The most common way to attack machines nowadays is over the internet and there are multiple motivators for this (usually money) you should read:
https://en.wikipedia.org/wiki/Ransomware
https://en.wikipedia.org/wiki/Man-in-the-browser

So, yes personal computers can be attacked if you visit the wrong sites in multiple ways often so that the criminals get personal information or can spam the user with adds or ask for ransom.

There are many ways to protect yourself on many levels. Firewall, hosts file blacklisting, DNS servers, personal DNS sinkhole, add blockers on browsers, safe browsers etc) each of these is their own topic you need to read about and depends on what kind of network you have.

[NFT5]

Ask 100 people this question and you'll get 200 different answers.

So, here's my take on it:

A firewall won't stop an attack via a visited web site. Best thing here is to subscribe to a service that prevents your browser from going to known bad sites. Firefox and Chrome both do this by default but there are add-ons that extend the capability. You can do it yourself by using the hosts file. Really, much safer to stay away from sites that are, let's say, dubious.

Almost nobody isn't under attack via email. Don't open emails that are questionable and definitely never open attachments from people/companies/organisations that you don't know. Check emails that appear to be from places that you do know e.g. banks, Ebay, Paypal etc. You do have a bit of a head start, running Linux, but no 100% guarantees. Again, a firewall won't help here, at least in terms of letting the malware in. It may help in preventing the malware from "phoning home", but by then it's too late.

Do you connect to the internet via a router? Almost all have a firewall which is quite effective and most can be configured for higher levels of protection and will help with your phone, tablet and any IoT devices. I configure my router firewall for extra security. That can be a pain if, for example, I want to use a specific port to access my hosted websites. In such cases I can temporarily disable or reduce. If you're accessing the internet via public means or by wi-fi then a firewall, and probably a VPN, are very important. I have both on my notebook since that's what I use when travelling. At home or in my shop they're not so necessary.

Unless you've done something to really annoy a hacker then you're probably safe from DoS attack.

Malware on USB drives is different again. Don't just plug in that thumb drive from your friend with the cool software on it. It's just like real viruses - social distancing is important and will help to reduce the spread.

All the above relates to desktop type use. If you have a server with direct internet access then it's a very different ball game. Good security, including a firewall, is essential in such a case.

[Head_on_a_Stick]

There seems to be some general confusion as to what a firewall actually does in a GNU/Linux system.

A firewall will only offer protection if any services are listening to ports, find these with

Code: Select all

# ss -lutpn

https://packages.debian.org/buster/iproute2

Generally speaking, you only need a firewall if you're running some sort of sever.

Any computer connected to a router is behind the hardware firewall provided by NAT so even the router's own software firewall isn't really needed.

And no firewall will protect against browser-based malware.

[cooleo]

A firewall will only offer protection if any services are listening to ports, find these with
--Is there any connection without services-listening-to-port?

And no firewall will protect against browser-based malware.[/quote]
--So,Anyway to block this "hole"?

[Head_on_a_Stick]

--Is there any connection without services-listening-to-port?

Yes, browsers work just fine without opening any ports.

--So,Anyway to block this "hole"?

Disable javascript in your browser. Allowing random websites to run their shitty code on your machine is almost always a bad idea.

[pylkko]

After you disable javascript expect about 75% of the internet to not work

[Head_on_a_Stick]

^ Yes, I do enjoy that feature

[cooleo]

--

--So,Anyway to block this "hole"?

Disable javascript in your browser. Allowing random websites to run their shitty code on your machine is almost always a bad idea.

Will this block ALL Malwares/Spywares from web-site?
I think there are more than one langurage work with web-browsers.

[cooleo]

--Is there any connection without services-listening-to-port?

Yes, browsers work just fine without opening any ports.

What about 80/8080/443?
Do you mean I can "lock-down" the pc, and still get web-browser working?

"lock-down", I mean Disable-In/Out/Forward

[Nili]

My browser firewall

Code: Select all

/^javascript.enable/

= false

[Head_on_a_Stick]

Will this block ALL Malwares/Spywares from web-site?

No but it will block most of them.

What about 80/8080/443?

The browser doesn't listen to those ports, this is from my machine running FF right now:

Code: Select all

empty@E485 ~ % sudo ss -tulpn
Netid    State    Recv-Q    Send-Q        Local Address:Port         Peer Address:Port    
empty@E485 ~ %

"lock-down", I mean Disable-In/Out/Forward

Use the "workstation" example rule supplied by nftables in /usr/share/doc/, that will only allow established and related connections (ie, browser traffic) and deny everything else.

[cooleo]

What about 80/8080/443?

The browser doesn't listen to those ports, this is from my machine running FF right now:

Code: Select all

empty@E485 ~ % sudo ss -tulpn
Netid    State    Recv-Q    Send-Q        Local Address:Port         Peer Address:Port    
empty@E485 ~ %

"lock-down", I mean Disable-In/Out/Forward

Use the "workstation" example rule supplied by nftables in /usr/share/doc/, that will only allow established and related connections (ie, browser traffic) and deny everything else.

How about:
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

There is not service-listning-to-ports, but really controls the traffic.
Am I right?

[cooleo]

I saw one example:
# Reject broadcasts to 224.0.0.1
/sbin/iptables -A INPUT -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -d 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -s 240.0.0.0/5 -j DROP

What is 224.0.0.1? Why is it so special?

[Head_on_a_Stick]

What is 224.0.0.1?

Please use a search engine before posting: https://www.iana.org/assignments/multic ... sses.xhtml

And as I told you before don't bother with iptables, it's obsolete.

[cuckooflew]

Please use a search engine before posting:

Honestly, if every one that wanted to know what a certain IP is, asked here, ....ridicules, I know, some technical questions do not all ways get good results, and sometines people do not understand what they read in the results, so that is what the forum is for. But asking us to look up a IP :

cooleo wrote:
What is 224.0.0.1?

, this is a help vampire at it's extreme.
Here is a example, in a effort to help the OP learn how to look up a IP, and find out what it is :
What is 224.0.0.1?
First hit: https://en.wikipedia.org/wiki/Multicast_address

A multicast address is a logical identifier for a group of hosts in a computer network that are available to process datagrams or frames intended to be multicast for a designated network service. Multicast addressing can be used in the link layer (layer 2 in the OSI model), such as Ethernet multicast, and at the internet layer (layer 3 for OSI) for Internet Protocol Version 4 (IPv4) or Version 6 (IPv6) multicast.

Please try to learn how to use a search engine. Thank you , and have a good day,...
P.S. Also the 'whois' command is useful, 'man whois',.....example:

Code: Select all

 $ whois 224.0.0.1

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 224.0.0.1"
#
# Use "?" to get help.
#

NetRange:       224.0.0.0 - 239.255.255.255
CIDR:           224.0.0.0/4
NetName:        MCAST-NET
NetHandle:      NET-224-0-0-0-1
Parent:          ()
NetType:        IANA Special Use
OriginAS:
Organization:   Internet Assigned Numbers Authority (IANA)
RegDate:        1991-05-21
Updated:        2013-08-30
Comment:        Addresses starting with a number between 224 and 239 are used for IP multicast.  IP multicast is a technology for efficiently sending the same content to multiple destinations.  It is commonly used for distributing financial information and video streams, among other things.
Comment:        A full list of IPv4 multicast assignments can be found at:
Comment:
Comment:        http://www.iana.org/assignments/multicast-addresses
Comment:
Comment:        A document describing the policies for assigning multicast addresses can be found at:
Comment:        http://datatracker.ietf.org/doc/rfc5771
Ref:            https://rdap.arin.net/registry/ip/224.0.0.0



OrgName:        Internet Assigned Numbers Authority
OrgId:          IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:           Los Angeles
StateProv:      CA
PostalCode:     90292
Country:        US
RegDate:
Updated:        2012-08-31
Ref:            https://rdap.arin.net/registry/entity/IANA

=============

Code: Select all

$man whois
WHOIS(1)                    General Commands Manual                   WHOIS(1)

NAME
     whois - Internet domain name and network number directory service

SYNOPSIS
     whois [-AadgIilmPQRr] [-c country-code | -h host] [-p port] name ...

DESCRIPTION
     The whois utility looks up records in the databases maintained by several
     Network Information Centers (NICs).

     The options are as follows:
---read the manual for the options, etc.---- 

[cooleo]

What is 224.0.0.1?

Please use a search engine before posting: https://www.iana.org/assignments/multic ... sses.xhtml

And as I told you before don't bother with iptables, it's obsolete.

I am still catcheing up with basic firewall knowledge now,
so it dosent matter which *tables I refers to.

[cooleo]

[quote="cuckooflew"

cooleo wrote:
What is 224.0.0.1?

, this is a help vampire at it's extreme.
[/quote]


Ah, You again.
I had asked you to ignore my questions in another thread.

Do you work for this forum? (This is the only reason I can think of).
If so,
Please let your boss know I asked you to ignore all my dumb questions.

I thought a forum is a place to exchange information and even gossip.
Don't answer if you don't want to.


ALL Forum stuffs,
I really dont know why I have all theses Dumb questions sometime.
There is absolutely not need to answer if you are not having fun to answer them.

[cuckooflew]

Do you work for this forum? (This is the only reason I can think of).
If so,
Please let your boss know I asked you to ignore all my dumb questions.

No, I don't work for anyone or anything,.....But I don't want to ignore them, I find them humorous, this is a public forum, any one can read anything they want, and respond to any posts as well. You could just ignore my answers/responses if you don't like them.. Or you could just try to find the answers , before asking, then no one would be calling you a help vampire...The members that do help all are volunteers, and do help a lot of people, it just gets "under my skin" when I see this kind of abuse, probably just asking questions to boost your post count,..I don't know, maybe a bot , a mindless one at that..who knows ? Who cares ?

I thought a forum is a place to exchange information and even gossip.
Don't answer if you don't want to.

Yes it is, all though this forum is not intended for gossip, and foolish play questions that some one asks just to boost the post count.
I do want to answer, I enjoy it, I enjoy sharing demos and examples about how to search, and sometimes, find a answer for some one,... I did show you 2 methods, that you could have used to find a answer, and Head_On_A_stick, also asked you to start using a search engine, he also gave you a link, that has the answer as well , yet it never even occurred to you to say thank you! Another trait of help vampires,

What is 224.0.0.1?

Please use a search engine before posting: https://www.iana.org/assignments/multic ... sses.xhtml

And as I told you before don't bother with iptables, it's obsolete.

Help vampires can be cured, if the person is willing to improve their selves, and most are not only willing , but want to improve, want to become better members.... I am starting to really wonder about you, I suspect you are a very young person, maybe about 12 years old, spoiled brat that thinks they are entitled to everything on a silver platter, still to young to comprehend the idea of actually do a little work for yourself, instead of all ways needing someone to hold your hand, ...I mean , yes the forum is for technical questions, and technical answers, but it is not intended for silly "boost my post count" questions, and google is excellent for finding out what a specific IP is for, who it is, and even more,... we use the IP information to block hackers,spammers, and other "bad boy's", we can use google to find out if a certain IP should be blocked, ....you are asking about a Firewall, and using Iptables , you need to learn how to look up IP's and see what they are, even on a PC you will see many IP's, all communicating with your PC, or modem, yes I know, there is a lot to learn, but just like most of your other questions, there is also tons of information that experienced people are willing to share, and have made the effort to make that information available to you, Why don't you take advantage of that ? Did you even try :
Is it worth to set up a firewall for PC? The results can be enhanced if you include Linux in the string,...try it, and let us know what results you think are the most useful,..
Other tech help forums, also do not like help vampires very much, it is not just me, nor this forum only, I am trying to help you become a better person...for your own good, you will be proud of your self when you show your self and others you actually are able to find answers, and solve problems, on your own,...
Also, and I will close with this, you really should read it:
What we expect you have Done
Look at the date :by Absent Minded » 2009-11-20 20:37
Indeed I really am trying to help you, I enjoy it very much, I do not do anything if I don't enjoy it..usually any way, sometimes we all have to do things we have to do, even if we don't really like to, getting online, and passing time on a forum is not something I have to do, it is something I like to do, when I have the free time and nothing else to do,...now I have put a whole lot of time and effort into writing this, it was fun, but it has gotten to long, and I am tired, so it is not so fun any more,... I hope it helps you, and/or others stop being a help vampire, and become better person , more useful contributors... not just on this
forum, but even out side, in the real world , at work...etc. Anyway, have a good day, or night,... and try to learn how to do searches and use the databases for your benefit, it is much more rewarding then needing to sit and wait for a hand out, and hand holding nanny, learn how to crawl, before trying to walk, when you are ready, stand on your own 2 feet, and walk, no need to wait for a nanny to hold your hand, ...blah blah , bla blah,...good nihght ZZZZZZZZZZzzzzzzzzzzzzzzzzzzzzzzzzZZZZZZzzzzzzzzzzzzzzzzzzzz

[cuckooflew]

Also I agree with H_O_A_S:

And as I told you before don't bother with iptables, it's obsolete.

This gives details and explains why,...
https://wiki.debian.org/nftables

Should I build a firewall using a nftables?

Yes. Building new firewalls on top of iptables is discouraged.

Should I replace an iptables firewall with a nftables one?

Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

Is it worth to set up a firewall for PC?

My opinion, no, there really is no need, using the default settings:

nftables in Debian the easy way

If you want to enable a default firewall in Debian, follow these steps:

Just enabling the default fire wall is all I need, so why bother with complicating things,KISS, . but someone else might have different requirements. If one has more requirements, then I suppose it is worth the extra hassle, or for someone that just enjoys making things more complicated then need be.