Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Is it worth to set up a firewall for PC?
Is it worth to set up a firewall for PC?
It looks like most malwares come through the web sites we visted,
and hackers wont even bother to attack a pc.
And, is there anyway to "block" the malware from web sites?
and hackers wont even bother to attack a pc.
And, is there anyway to "block" the malware from web sites?
Last edited by cooleo on 2020-04-09 21:07, edited 3 times in total.
Re: Is it worth to set up a firewall for PC?
In my view, it really depends on how your computer is connected to the internet. If it is behind a router/modem/whatever that has a firewall, then it might be safe. But since many computers are laptops or other mobile devices that you may move to other networks, then it makes sense to have a firewall on the machine itself (in addition). Hackers do still attack personal machines when they can make money off it, or when they are nation states (you should really read about the revelations that Snowden made). The most common way to attack machines nowadays is over the internet and there are multiple motivators for this (usually money) you should read:
https://en.wikipedia.org/wiki/Ransomware
https://en.wikipedia.org/wiki/Man-in-the-browser
So, yes personal computers can be attacked if you visit the wrong sites in multiple ways often so that the criminals get personal information or can spam the user with adds or ask for ransom.
There are many ways to protect yourself on many levels. Firewall, hosts file blacklisting, DNS servers, personal DNS sinkhole, add blockers on browsers, safe browsers etc) each of these is their own topic you need to read about and depends on what kind of network you have.
https://en.wikipedia.org/wiki/Ransomware
https://en.wikipedia.org/wiki/Man-in-the-browser
So, yes personal computers can be attacked if you visit the wrong sites in multiple ways often so that the criminals get personal information or can spam the user with adds or ask for ransom.
There are many ways to protect yourself on many levels. Firewall, hosts file blacklisting, DNS servers, personal DNS sinkhole, add blockers on browsers, safe browsers etc) each of these is their own topic you need to read about and depends on what kind of network you have.
- NFT5
- df -h | grep > 20TiB
- Posts: 598
- Joined: 2014-10-10 11:38
- Location: Canberra, Australia
- Has thanked: 10 times
- Been thanked: 43 times
Re: Is it worth to set up a firewall for PC?
Ask 100 people this question and you'll get 200 different answers.
So, here's my take on it:
A firewall won't stop an attack via a visited web site. Best thing here is to subscribe to a service that prevents your browser from going to known bad sites. Firefox and Chrome both do this by default but there are add-ons that extend the capability. You can do it yourself by using the hosts file. Really, much safer to stay away from sites that are, let's say, dubious.
Almost nobody isn't under attack via email. Don't open emails that are questionable and definitely never open attachments from people/companies/organisations that you don't know. Check emails that appear to be from places that you do know e.g. banks, Ebay, Paypal etc. You do have a bit of a head start, running Linux, but no 100% guarantees. Again, a firewall won't help here, at least in terms of letting the malware in. It may help in preventing the malware from "phoning home", but by then it's too late.
Do you connect to the internet via a router? Almost all have a firewall which is quite effective and most can be configured for higher levels of protection and will help with your phone, tablet and any IoT devices. I configure my router firewall for extra security. That can be a pain if, for example, I want to use a specific port to access my hosted websites. In such cases I can temporarily disable or reduce. If you're accessing the internet via public means or by wi-fi then a firewall, and probably a VPN, are very important. I have both on my notebook since that's what I use when travelling. At home or in my shop they're not so necessary.
Unless you've done something to really annoy a hacker then you're probably safe from DoS attack.
Malware on USB drives is different again. Don't just plug in that thumb drive from your friend with the cool software on it. It's just like real viruses - social distancing is important and will help to reduce the spread.
All the above relates to desktop type use. If you have a server with direct internet access then it's a very different ball game. Good security, including a firewall, is essential in such a case.
So, here's my take on it:
A firewall won't stop an attack via a visited web site. Best thing here is to subscribe to a service that prevents your browser from going to known bad sites. Firefox and Chrome both do this by default but there are add-ons that extend the capability. You can do it yourself by using the hosts file. Really, much safer to stay away from sites that are, let's say, dubious.
Almost nobody isn't under attack via email. Don't open emails that are questionable and definitely never open attachments from people/companies/organisations that you don't know. Check emails that appear to be from places that you do know e.g. banks, Ebay, Paypal etc. You do have a bit of a head start, running Linux, but no 100% guarantees. Again, a firewall won't help here, at least in terms of letting the malware in. It may help in preventing the malware from "phoning home", but by then it's too late.
Do you connect to the internet via a router? Almost all have a firewall which is quite effective and most can be configured for higher levels of protection and will help with your phone, tablet and any IoT devices. I configure my router firewall for extra security. That can be a pain if, for example, I want to use a specific port to access my hosted websites. In such cases I can temporarily disable or reduce. If you're accessing the internet via public means or by wi-fi then a firewall, and probably a VPN, are very important. I have both on my notebook since that's what I use when travelling. At home or in my shop they're not so necessary.
Unless you've done something to really annoy a hacker then you're probably safe from DoS attack.
Malware on USB drives is different again. Don't just plug in that thumb drive from your friend with the cool software on it. It's just like real viruses - social distancing is important and will help to reduce the spread.
All the above relates to desktop type use. If you have a server with direct internet access then it's a very different ball game. Good security, including a firewall, is essential in such a case.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is it worth to set up a firewall for PC?
There seems to be some general confusion as to what a firewall actually does in a GNU/Linux system.
A firewall will only offer protection if any services are listening to ports, find these with
https://packages.debian.org/buster/iproute2
Generally speaking, you only need a firewall if you're running some sort of sever.
Any computer connected to a router is behind the hardware firewall provided by NAT so even the router's own software firewall isn't really needed.
And no firewall will protect against browser-based malware.
A firewall will only offer protection if any services are listening to ports, find these with
Code: Select all
# ss -lutpn
Generally speaking, you only need a firewall if you're running some sort of sever.
Any computer connected to a router is behind the hardware firewall provided by NAT so even the router's own software firewall isn't really needed.
And no firewall will protect against browser-based malware.
deadbang
Re: Is it worth to set up a firewall for PC?
A firewall will only offer protection if any services are listening to ports, find these with
--Is there any connection without services-listening-to-port?
And no firewall will protect against browser-based malware.[/quote]
--So,Anyway to block this "hole"?
--Is there any connection without services-listening-to-port?
And no firewall will protect against browser-based malware.[/quote]
--So,Anyway to block this "hole"?
Last edited by cooleo on 2020-04-11 02:01, edited 1 time in total.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is it worth to set up a firewall for PC?
Yes, browsers work just fine without opening any ports.cooleo wrote:--Is there any connection without services-listening-to-port?
Disable javascript in your browser. Allowing random websites to run their shitty code on your machine is almost always a bad idea.cooleo wrote:--So,Anyway to block this "hole"?
deadbang
Re: Is it worth to set up a firewall for PC?
After you disable javascript expect about 75% of the internet to not work
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is it worth to set up a firewall for PC?
Will this block ALL Malwares/Spywares from web-site?Head_on_a_Stick wrote:cooleo wrote:--Disable javascript in your browser. Allowing random websites to run their shitty code on your machine is almost always a bad idea.cooleo wrote:--So,Anyway to block this "hole"?
I think there are more than one langurage work with web-browsers.
Re: Is it worth to set up a firewall for PC?
What about 80/8080/443?Head_on_a_Stick wrote:Yes, browsers work just fine without opening any ports.cooleo wrote:--Is there any connection without services-listening-to-port?
Do you mean I can "lock-down" the pc, and still get web-browser working?
"lock-down", I mean Disable-In/Out/Forward
- Nili
- Posts: 441
- Joined: 2014-04-30 14:04
- Location: $HOME/♫♪
- Has thanked: 5 times
- Been thanked: 3 times
Re: Is it worth to set up a firewall for PC?
My browser firewall
= false
Code: Select all
/^javascript.enable/
openSUSE Tumbleweed KDE/Wayland
♫♪ Elisa playing...
Damascus Cocktail ♪ Black Reverie ♪ Dye the sky.
♫♪ Elisa playing...
Damascus Cocktail ♪ Black Reverie ♪ Dye the sky.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is it worth to set up a firewall for PC?
No but it will block most of them.cooleo wrote:Will this block ALL Malwares/Spywares from web-site?
The browser doesn't listen to those ports, this is from my machine running FF right now:cooleo wrote:What about 80/8080/443?
Code: Select all
empty@E485 ~ % sudo ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
empty@E485 ~ %
Use the "workstation" example rule supplied by nftables in /usr/share/doc/, that will only allow established and related connections (ie, browser traffic) and deny everything else.cooleo wrote:"lock-down", I mean Disable-In/Out/Forward
deadbang
Re: Is it worth to set up a firewall for PC?
Head_on_a_Stick wrote:The browser doesn't listen to those ports, this is from my machine running FF right now:cooleo wrote:What about 80/8080/443?Code: Select all
empty@E485 ~ % sudo ss -tulpn Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port empty@E485 ~ %
Use the "workstation" example rule supplied by nftables in /usr/share/doc/, that will only allow established and related connections (ie, browser traffic) and deny everything else.cooleo wrote:"lock-down", I mean Disable-In/Out/Forward
How about:
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
There is not service-listning-to-ports, but really controls the traffic.
Am I right?
Re: Is it worth to set up a firewall for PC?
I saw one example:
# Reject broadcasts to 224.0.0.1
/sbin/iptables -A INPUT -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -d 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -s 240.0.0.0/5 -j DROP
What is 224.0.0.1? Why is it so special?
# Reject broadcasts to 224.0.0.1
/sbin/iptables -A INPUT -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -d 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -s 240.0.0.0/5 -j DROP
What is 224.0.0.1? Why is it so special?
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is it worth to set up a firewall for PC?
Please use a search engine before posting: https://www.iana.org/assignments/multic ... sses.xhtmlcooleo wrote:What is 224.0.0.1?
And as I told you before don't bother with iptables, it's obsolete.
deadbang
-
- Posts: 677
- Joined: 2018-05-10 19:34
- Location: Some where out west
- Been thanked: 1 time
Re: Is it worth to set up a firewall for PC?
Honestly, if every one that wanted to know what a certain IP is, asked here, ....ridicules, I know, some technical questions do not all ways get good results, and sometines people do not understand what they read in the results, so that is what the forum is for. But asking us to look up a IP :Please use a search engine before posting:
, this is a help vampire at it's extreme.cooleo wrote:
What is 224.0.0.1?
Here is a example, in a effort to help the OP learn how to look up a IP, and find out what it is :
What is 224.0.0.1?
First hit: https://en.wikipedia.org/wiki/Multicast_address
Please try to learn how to use a search engine. Thank you , and have a good day,...A multicast address is a logical identifier for a group of hosts in a computer network that are available to process datagrams or frames intended to be multicast for a designated network service. Multicast addressing can be used in the link layer (layer 2 in the OSI model), such as Ethernet multicast, and at the internet layer (layer 3 for OSI) for Internet Protocol Version 4 (IPv4) or Version 6 (IPv6) multicast.
P.S. Also the 'whois' command is useful, 'man whois',.....example:
Code: Select all
$ whois 224.0.0.1
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#
#
# Query terms are ambiguous. The query is assumed to be:
# "n 224.0.0.1"
#
# Use "?" to get help.
#
NetRange: 224.0.0.0 - 239.255.255.255
CIDR: 224.0.0.0/4
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent: ()
NetType: IANA Special Use
OriginAS:
Organization: Internet Assigned Numbers Authority (IANA)
RegDate: 1991-05-21
Updated: 2013-08-30
Comment: Addresses starting with a number between 224 and 239 are used for IP multicast. IP multicast is a technology for efficiently sending the same content to multiple destinations. It is commonly used for distributing financial information and video streams, among other things.
Comment: A full list of IPv4 multicast assignments can be found at:
Comment:
Comment: http://www.iana.org/assignments/multicast-addresses
Comment:
Comment: A document describing the policies for assigning multicast addresses can be found at:
Comment: http://datatracker.ietf.org/doc/rfc5771
Ref: https://rdap.arin.net/registry/ip/224.0.0.0
OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 12025 Waterfront Drive
Address: Suite 300
City: Los Angeles
StateProv: CA
PostalCode: 90292
Country: US
RegDate:
Updated: 2012-08-31
Ref: https://rdap.arin.net/registry/entity/IANA
Code: Select all
$man whois
WHOIS(1) General Commands Manual WHOIS(1)
NAME
whois - Internet domain name and network number directory service
SYNOPSIS
whois [-AadgIilmPQRr] [-c country-code | -h host] [-p port] name ...
DESCRIPTION
The whois utility looks up records in the databases maintained by several
Network Information Centers (NICs).
The options are as follows:
---read the manual for the options, etc.----
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
Re: Is it worth to set up a firewall for PC?
Head_on_a_Stick wrote:Please use a search engine before posting: https://www.iana.org/assignments/multic ... sses.xhtmlcooleo wrote:What is 224.0.0.1?
And as I told you before don't bother with iptables, it's obsolete.
I am still catcheing up with basic firewall knowledge now,
so it dosent matter which *tables I refers to.
Last edited by cooleo on 2020-04-15 03:37, edited 1 time in total.
Re: Is it worth to set up a firewall for PC?
[quote="cuckooflew"
[/quote]
Ah, You again.
I had asked you to ignore my questions in another thread.
Do you work for this forum? (This is the only reason I can think of).
If so,
Please let your boss know I asked you to ignore all my dumb questions.
I thought a forum is a place to exchange information and even gossip.
Don't answer if you don't want to.
ALL Forum stuffs,
I really dont know why I have all theses Dumb questions sometime.
There is absolutely not need to answer if you are not having fun to answer them.
, this is a help vampire at it's extreme.cooleo wrote:
What is 224.0.0.1?
[/quote]
Ah, You again.
I had asked you to ignore my questions in another thread.
Do you work for this forum? (This is the only reason I can think of).
If so,
Please let your boss know I asked you to ignore all my dumb questions.
I thought a forum is a place to exchange information and even gossip.
Don't answer if you don't want to.
ALL Forum stuffs,
I really dont know why I have all theses Dumb questions sometime.
There is absolutely not need to answer if you are not having fun to answer them.
-
- Posts: 677
- Joined: 2018-05-10 19:34
- Location: Some where out west
- Been thanked: 1 time
Re: Is it worth to set up a firewall for PC?
No, I don't work for anyone or anything,.....But I don't want to ignore them, I find them humorous, this is a public forum, any one can read anything they want, and respond to any posts as well. You could just ignore my answers/responses if you don't like them.. Or you could just try to find the answers , before asking, then no one would be calling you a help vampire...The members that do help all are volunteers, and do help a lot of people, it just gets "under my skin" when I see this kind of abuse, probably just asking questions to boost your post count,..I don't know, maybe a bot , a mindless one at that..who knows ? Who cares ?Do you work for this forum? (This is the only reason I can think of).
If so,
Please let your boss know I asked you to ignore all my dumb questions.
Yes it is, all though this forum is not intended for gossip, and foolish play questions that some one asks just to boost the post count.I thought a forum is a place to exchange information and even gossip.
Don't answer if you don't want to.
I do want to answer, I enjoy it, I enjoy sharing demos and examples about how to search, and sometimes, find a answer for some one,... I did show you 2 methods, that you could have used to find a answer, and Head_On_A_stick, also asked you to start using a search engine, he also gave you a link, that has the answer as well , yet it never even occurred to you to say thank you! Another trait of help vampires,
Help vampires can be cured, if the person is willing to improve their selves, and most are not only willing , but want to improve, want to become better members.... I am starting to really wonder about you, I suspect you are a very young person, maybe about 12 years old, spoiled brat that thinks they are entitled to everything on a silver platter, still to young to comprehend the idea of actually do a little work for yourself, instead of all ways needing someone to hold your hand, ...I mean , yes the forum is for technical questions, and technical answers, but it is not intended for silly "boost my post count" questions, and google is excellent for finding out what a specific IP is for, who it is, and even more,... we use the IP information to block hackers,spammers, and other "bad boy's", we can use google to find out if a certain IP should be blocked, ....you are asking about a Firewall, and using Iptables , you need to learn how to look up IP's and see what they are, even on a PC you will see many IP's, all communicating with your PC, or modem, yes I know, there is a lot to learn, but just like most of your other questions, there is also tons of information that experienced people are willing to share, and have made the effort to make that information available to you, Why don't you take advantage of that ? Did you even try :Head_on_a_Stick wrote:Please use a search engine before posting: https://www.iana.org/assignments/multic ... sses.xhtmlcooleo wrote:What is 224.0.0.1?
And as I told you before don't bother with iptables, it's obsolete.
Is it worth to set up a firewall for PC? The results can be enhanced if you include Linux in the string,...try it, and let us know what results you think are the most useful,..
Other tech help forums, also do not like help vampires very much, it is not just me, nor this forum only, I am trying to help you become a better person...for your own good, you will be proud of your self when you show your self and others you actually are able to find answers, and solve problems, on your own,...
Also, and I will close with this, you really should read it:
What we expect you have Done
Look at the date :by Absent Minded » 2009-11-20 20:37
Indeed I really am trying to help you, I enjoy it very much, I do not do anything if I don't enjoy it..usually any way, sometimes we all have to do things we have to do, even if we don't really like to, getting online, and passing time on a forum is not something I have to do, it is something I like to do, when I have the free time and nothing else to do,...now I have put a whole lot of time and effort into writing this, it was fun, but it has gotten to long, and I am tired, so it is not so fun any more,... I hope it helps you, and/or others stop being a help vampire, and become better person , more useful contributors... not just on this
forum, but even out side, in the real world , at work...etc. Anyway, have a good day, or night,... and try to learn how to do searches and use the databases for your benefit, it is much more rewarding then needing to sit and wait for a hand out, and hand holding nanny, learn how to crawl, before trying to walk, when you are ready, stand on your own 2 feet, and walk, no need to wait for a nanny to hold your hand, ...blah blah , bla blah,...good nihght ZZZZZZZZZZzzzzzzzzzzzzzzzzzzzzzzzzZZZZZZzzzzzzzzzzzzzzzzzzzz
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
-
- Posts: 677
- Joined: 2018-05-10 19:34
- Location: Some where out west
- Been thanked: 1 time
Re: Is it worth to set up a firewall for PC?
Also I agree with H_O_A_S:
https://wiki.debian.org/nftables
This gives details and explains why,...And as I told you before don't bother with iptables, it's obsolete.
https://wiki.debian.org/nftables
Should I build a firewall using a nftables?
Yes. Building new firewalls on top of iptables is discouraged.
Should I replace an iptables firewall with a nftables one?
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
My opinion, no, there really is no need, using the default settings:Is it worth to set up a firewall for PC?
Just enabling the default fire wall is all I need, so why bother with complicating things,KISS, . but someone else might have different requirements. If one has more requirements, then I suppose it is worth the extra hassle, or for someone that just enjoys making things more complicated then need be.nftables in Debian the easy way
If you want to enable a default firewall in Debian, follow these steps:
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!