Is there any reason to setup and configure a firewall if you dont own a company or servers?
Now everything gets delivered whith a firewall
Its like the private firewall sector has become a meme.
Most company use firewall hardware, to ensure their safety, yet the hardware private users use with their router, which no one ever updates, feels like a joke
Other urls found in this thread:
nation.state.actor
bugs.chromium.org
theinquirer.net
zdnet.com
debian-administration.org
douaneapp.com
twitter.com
...
Fuck off NSA
What do you guys do in regard to firewalls?
A firewall is far better than any AV software, for the simple reason that AVs are active and FWs are passive. That is, AVs look for malware and inevitably miss some and misdiagnose others. FWs simply intercept connections. They do not miss, they do not misdiagnose (they leave the decision to you, who might misdiagnose or ignore (miss), but that's your fault). Of course they are not a complete security solution, for many attacks (e.g. phishing, MITM) FWs might be irrelevant, and an AV software might still be desirable for someone in an insecure environment, though modern AVs are usually viruses in themselves[1][2], and you have to be careful choosing one.
That is to say if you block all connections by default and have rules for your applications. I don't know of any firewalls for Linux that do something like ZoneAlarm does for Windows - block all connections by default except some pre-defined rules (which is not desirable, but let's let it pass for the sake of the argument) and then query the user when some application tries to open a new connection. I would be interested in that, I guess it would not be hard to do so with netstat + iptables.
I currently use a very permissive iptables setup:
# Flush all rules iptables -F iptables -X # Allow unlimited traffic on localhostiptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A FORWARD -o lo -j ACCEPT # ssh serveriptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow incomming traffic from estabilished and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Policy: Allow outgoing, deny incoming and forwarding iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP
Ideally outgoing should be denied also, having per-application rules, though I usually have tcpdump opened in my second monitor and I have zero connections at any given time that I am not aware of.
[1] nation.state.actor
[2] bugs.chromium.org
Haven't used a firewall since 2007
If you know what you're clicking that's ok. But i bet there is something new every day,
pf master race
set skip on lo0block allpass out quick inet
Unfortunately, Linux doesn't have a real firewall.
I'm in the same boat. The fact that GNU systems don't appear to have a replacement that gives the same behavior as ZoneAlarm has been a continual frustration for me.
#!/sbin/nft -fflush rulesettable inet filter{ chain input { type filter hook input priority 0 policy drop meta iif lo accept ip protocol icmp accept ip6 nexthdr icmpv6 accept ip daddr 224.0.0.0/8 accept ip6 daddr ff00::/8 accept tcp dport ssh accept ct state related,established accept }}
Needs more redhat/systemd-windowns ini-file format.
Well anything that uses (in Cisco terminology) PAT (in consumer gear called NAT) by default has a firewall, as inbound connections have to be manually.
because people like to do things like connect to public networks which may not have features like (in Cisco terminology) P2P Blocking or isolated PVLANs. No, P2P blocking has nothing to do with bit torrent.
What random software comes with "firewall" software?
hae to be manually configured
get back in your containment thread, sperg.
I just built a pfsense box to be my router/firewall
this is basically the very truth.
Except however I think that with IPv6 you don't need to port forward, since every device has its own unique global scope IP -> the router already knows which computer a packet is destined for -> inbound packets are no longer unreasonable to consider delivering in OOTB configs
I trust that anything insecure I have is probably only running on IPv4, and I don't forward unknown random ports
...
How are you posting on an imageboard 30 years in the future?
carrier grade NAT and refusing to accept the IoT conspiracy addressing scheme
ZoneAlarm
To prevent hackers and suspicious activity from programs, plus making piracy/privacy easier by preventing internet access for certain apps.
what are you doing user?
Zonealarm appears to be just a regular Anti-virus programm
What makes it special, that I should buy it and not others?
Well it's become a shitty anti-virus suite now, but the main allure is that it sets up firewall exceptions on the fly. Whenever a new program attempts to access the internet you get notified and then asked if you want to allow it and whether to make that permanent. I've yet to come across any Linux firewall with this handy functionality.
Although I also like ZoneAlarm, modern ZA is a bit worrying privacy-wise. See
theinquirer.net
zdnet.com
It's nothing too serious but I wouldn't trust them in this regard (though I guess if you're using Windows10 having no privacy is a given).
Yeah I use a very old version of ZoneAlarm myself when I'm Windozing.
I try to use other methods than typing IPs when I can. (Of course, everything I give a fuck about gets a static IPv4 local just in case)
DNS records, SSH hostname aliases, even that cute nss .local thing is p handy
Bump
Always wondered why this wasn't offered on GNU/Stallman/Linux.
I imagine it shouldn't have been hard to add this via hooks in UFW or something.
As great as Linux is (generally), I feel it really lags behind in some areas that should be simple to improve upon.
Also, it seems like a lot of "feature rushing" has been happening recently at the expense of stability. Kind of pissing me off.
Anyone else feel like QML/Plasma (on KDE) is a mistake? Reading QML code is like reading utter shit. Don't understand why the C++ GUI widgets couldn't be implemented with optional and selectable rendering engines to provide the same functionality. Would also eliminate having to tie the QML to C++ (which, imo, still isn't neatly implemented).
Topic diluter spotted.
iptables actually supports this somewhat, but your kernel has to be compiled with CONFIG_IP_NF_MATCH_OWNER
debian-administration.org
Forgot to mention, there's also this if anyone's willing to try it out:
douaneapp.com
You would need to run such an application with root privileges on Linux, and running X applications as root outweighs any security benefits you might hope to derive from the firewall.
Also Linux doesn't block outbound by default because the OS draws from trusted repositories by default. Running random, untrusted binaries you don't have source for is for retards.
I only ran across this today and have not tried to use it (and may not try, that's not my thing) but I think this is supposed to do what you want on linux
Firewall is needed to cut all traffic which isn't routed through your VPN, for example.
OpenBSD comes with firewall software, so I might as well use it. This is pf.conf for my laptop:
set skip on loblock log allpass out on egress inet proto { tcp, udp } from any to any keep statepass out on egress inet proto icmp all icmp-type echoreq keep state
I don't run any services at all, so the only legitimate traffic are sessions that I start locally.
Most companies use routers that cost multiple thousands of dollars and come with license and contract payments. Consumer grade routers are you-get-what-you-pay-for. You aren't gonna get hardware fucking firewalls in a $40 piece of shit from netgear.
Just about every piece of networking gear has an ACL.
90% of consumer use is going to be deny everything that isn't 80/443 and open a port for your xbox.
You aren't gonna get hardware fucking firewalls in a $40 piece of shit from netgear.
Let me guess, you've never used an enterprise class firewall. I'll let you in on a secret, they're PCs running Linux. The only thing "hardware" about it is a encryption chip to accelerate VPN connections. There are no ASICs like in switches. And you can buy Cisco ASA 5505s for $40 and 5510s for $75.
Interesting. Seems easy to bypass though (virus runs itself as spotify and falls in user's rules).
I haven't used a condom since 1903
Thanks grandpa.
I haven't used a condom since 1903
-Thanks grandpa.
Yes.
That is why TR-069 exists. So the ISP can control and upgrade your router. And luckily many of them upgrade their routers these days.
Hardware firewalls are not a solution though. They either have to hijack your encrypted traffic (many enterprises do this by installing their Root certs on client machines) or they are not worth anything in terms of outgoing connections.
With Agnitum finishing Outpost, the "Firewall Only" market died this year for Windows, though from Vista the Windows firewall works pretty well tbh.
If you still looking for a third-party solution, Emsisoft (they bought up Online Armor) seems to be the most barebone one. Probably the only security suite on Windows wich does not allow "managing your firewalls from your mobile app". Checkpoint ZoneAlarm and Comodo have a very worrying data collection and privacy-policies.
Others only have limited protocol support anyway (usually only TCP/UDP/ICMP), so they are useless.
Someone responded to Douane in another thread:
He suggested Subgraph OS, but it is still in alpha.