should I install something like gufw?
Asked
Active
Viewed 3,908 times
8 Answers
7
Yes, more than ever. The internet hasn't changed a lot, since the old days. So a firewall is still a necessity these days. A firewall like gufw, with basic rules works. Use iptables, if you are a CLI geek ;)
theTuxRacer
- 16,533
3
Undoubtedly, it only takes a single opportunistic snooper to cause no end of trouble. The confusion lies in how you go about ensuring you're behind a firewall.
This is discussed in more detail here: Is there a preinstalled or automatic firewall? but in short if you are on a home network, behind a wireless router, then your router will normally be performing firewall duties. Obviously its a good idea to check with the manufacturer before you rely on anything (its also dependent on the router configuration).
GUFW is not, in itself, a firewall, just a GUI for ubuntu's default firewall (UFW). UFW is switched off by default. Generally speaking, its advisable to only run one firewall, to avoid potential conflicts, so provided you are on a trusted home network (and you're positive your router provides adequate protection), id advise switching off your software firewall (UFW).
Obviously, switch it back on again when you're on a public / non trusted network.
2
By definition a firewall blocks communication that otherwise would be allowed. A desktop Ubuntu machine has no services installed by default that will accept connections, so there is nothing for a firewall to block access to. Therefore, it is completely useless.
The reason a firewall is considered necessary on Windows is because it comes with several brain dead services installed by default that accept connections and allow the other party to do things with your computer that you don't want.
psusi
- 38,031
1
Ubuntu should come with a default firewall activated with a GUI tool too. I'm surprised it doesn't come with it. I know iptables is already there but there are no rules loaded. You have to do that manually or install something like Firestarter to get the basics running for you.
I was so surprised one day when I found out that my ISP gives me my own public IP every time I enable my DSL. Imagine how many hits, ssh login attempts, other scans and MS exploits (yeah someone was running that on my ISP's IPs) my machine was getting the entire time. LOL! :)
Marky
- 1,531
1
With the introduction of IPv6 having a firewall will become even more critical. Unlike IPv4 where most systems are relatively secured on private IP ranges, IPv6 devices are likely to be fully accessible.
Having a firewall with a default deny policy will be even more critical. Finding devices to scan will be more difficult due to the sparse use of addresses. Keeping some protocols like SMB on link local addresses will help, but won't be a magic bullet.
That said in a default install an active firewall is just an extra layer of security. Many of the applications which do open ports will require their ports to be opened to allow them to work. Pretty well all have additional methods to secure them. Enable all the appropriate layers as required.
EDIT: There have been a lot of comments about letting the application control access and other reasons not to have a firewall. Unfortunately, many applications don't have access controls. Others listen on all addresses, so a firewall becomes the sole way of restricting access from certain interfaces.
As I noted above, a firewall is only one layer of security. Secure applications are another, but you can't easily ensure that your users only run secure applications. A firewall is one way of protecting your users.
No reasonable security measures are totally secure. While many users may not be interested or educated enough to fully understand a firewall, that is not a reason not to use a firewall, or for them no to have a firewall.
BillThor
- 4,698
0
Everyone is correct, be careful and probably use some kind of protection, it can create some hassle depending on what you do but sometimes you don't notice how much that extra hassle is really protecting you.
One way you could add some extra protection that isn't really intrusive at all would be to look into OpenDNS, basically just adds some nice control and extra security features for basic internet use.
Jon Phenow
- 101