Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

What firewall should I use?

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

What firewall should I use?

#1 Post by Diesel330 »

Does Debian has any pre-installed firewall or there is any that you propose for Debian 11?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What firewall should I use?

#2 Post by Head_on_a_Stick »

deadbang

User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

Re: What firewall should I use?

#3 Post by Diesel330 »

Do you recommend to enable nftables for casual home use of the internet?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What firewall should I use?

#4 Post by Head_on_a_Stick »

It's not needed if you're just browsing the interweb, downloading stuff and playing games on other people's servers but nftables has a very low resource overhead and it adds a layer of protection just in case ports and services are exposed by mistake.

I use the provided "workstation" ruleset, which is default-deny:

Code: Select all

# apt install nftables
# cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf
# systemctl enable --now nftables
Check with

Code: Select all

# nft list ruleset
Edit /etc/nftables.conf if you need to allow for ssh, http or https servers; it has a commented-out line for that.
deadbang

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: What firewall should I use?

#5 Post by ticojohn »

Thanks HOAS. I made the change as per the link you provided. What a difference in the ruleset. Not that I really understand any or it. :shock:
I am not irrational, I'm just quantum probabilistic.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: What firewall should I use?

#6 Post by Hallvor »

The default ruleset is fine. Here is a different option with chain base checks:

viewtopic.php?p=736536#p736536
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

User avatar
zarathustra-f90
Posts: 35
Joined: 2020-10-26 14:37
Has thanked: 19 times
Been thanked: 2 times
Contact:

Re: What firewall should I use?

#7 Post by zarathustra-f90 »

Just try the Uncomplcated Firewall (https://wiki.debian.org/Uncomplicated%2 ... 0%28ufw%29), easy to use nothing more to tinker after enabling it.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What firewall should I use?

#8 Post by Head_on_a_Stick »

zarathustra-f90 wrote: 2022-06-12 01:13Uncomplcated Firewall
Setting default-deny in ufw is exactly equivalent to enabling the workstation ruleset for nftables but it exposes the user to all the extra bugs and vulnerabilities in the ufw code base as well as all the bugs and vulnerabilities in the nftables backend.

The less software is used, the less the chance of running into a bug or vulnerability.
deadbang

User avatar
zarathustra-f90
Posts: 35
Joined: 2020-10-26 14:37
Has thanked: 19 times
Been thanked: 2 times
Contact:

Re: What firewall should I use?

#9 Post by zarathustra-f90 »

Head_on_a_Stick wrote: 2022-06-12 10:07
zarathustra-f90 wrote: 2022-06-12 01:13Uncomplcated Firewall
Setting default-deny in ufw is exactly equivalent to enabling the workstation ruleset for nftables but it exposes the user to all the extra bugs and vulnerabilities in the ufw code base as well as all the bugs and vulnerabilities in the nftables backend.

The less software is used, the less the chance of running into a bug or vulnerability.
Haven't come across any bugs/errors/interruptions through the years of using ufw as a simple daily firewall, for a user that wants an effective firewall without making any tinkering or using command lines/config files it seems suitable imho. Of course it's up to the user to choose and weight the pros and cons.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What firewall should I use?

#10 Post by Head_on_a_Stick »

zarathustra-f90 wrote: 2022-06-18 00:59Haven't come across any bugs/errors/interruptions through the years of using ufw as a simple daily firewall
That you know of ;)
deadbang

Post Reply