I honestly only know of a windows one called simplewall.

I used to use it to outright block windows telemetry, microsoft services, apps, …

It also helped me to save a lot of bandwith in regards to windows and all the stuff that comes preinstalked with it.

I havent searched for one for linux, mostly because 90% of apps I run are cli tools that don’t require internet connection, but I’m sure there is probably one that exists.

Is this because the kernel assigns that port to that specific process, so that all traffic at that port is associated with only that process?

Yes, that’s what ports do. They split your IP connection into 65,536 separate communication lines, that’s the main thing, but that is specifically 65,536 1-on-1 lines, not party lines. When a process on your PC reserves port 80, that’s it. It’s taken. Short of hacking the kernel itself, it cannot be reassigned or stolen until the bound process frees it.

The SO answer you found it interesting, I was not aware that the Linux kernel had a feature that allowed two or more processes to willingly share a single port. But the answer explains that this is an opt-in parameter that the first binding process has to explicitly allow. And even then, traffic is not duplicated to all listening processes. It sounds like it’s more of a “first come first serve” to whichever of the processes are free to read the incoming message at the time it arrives, making it more of a load balancing feature that isn’t a useful vector for eavesdropping.

Haha, yeah, a device without networking capabilities would be rather well protected from attacks originating from a network 😜

wire guard vpn port

This is the only thing forwarded. As for devices the worst offender would be my Roku TV but I’m not sure how much of a security threat that actually would be. More of a privacy threat, hence running pihole.

They also would not realistically be doing anything that would cause open ports on their machine to serve data to some external application.

They may not explicitly do it, no, but I could certainly see the possibility of the software that they use having such a vulnerability, or even a malicious bit of software inadvertently being installed on their device.

In other words: don’t mess around with a firewall if you don’t know what you’re doing. Use your time learning other things first if you’re a not technically sophisticated user. I also don’t exactly know what “mistakes” you’d be mitigating by installing a firewall if you aren’t binding processes to those ports (something a novice user should not be doing anyway).

This sort of skirts around answering the question.

The best way of mitigating mistakes is by not making them in the first place

But mistakes will be made all the same.

Prevention is always better than cure.

This is exactly the point that I am trying to make. Having contingencies in place on the off chance that something doesn’t go as expected could certainly be interpreted as “prevention”.

You should never open ports on your local network. Ever.

What would be the rationale for this statement?

if you need to expose locally hosted services you should be maintaining a cloud VM or similar cloud based service that forwards connections to the desired service on your internal network via a VPN like Tailscale.

I’m not sure that I understand what issue that this would solve. Would the malicious connections not still be forwarded through the VPN to the service? I am quite lacking in knowledge on Tailscale, and how related infrastructure is used in production, so please pardon my ignorance.

Are you referring to the firewall on the router?

Yes. At home this will run on your (wifi) router. But the standard rules on that are pretty simple: Discard everything incoming, allow everything outgoing. Companies might have a dedicated machine, something like a pfSense in a server rack at each of their subsidiaries and draw a perimeter line around what they deem fit, the office building, a department, or separate the whole company’s internal network from the internet. (Or a combination of those.) You just have one point at home where two network segments interconnect: your router.

I think it is important to distinguish between this kind of firewall and something that runs on a desktop computer. I’d call that a personal firewall or desktop firewall. It does different things: like detect what kind of network you’re connected to. Enable access when you’re at your workplace but inhibit the Windows network share when you’re at the airport wifi. It adds a bit of protection to the software running on the computer, and can also filter packets from the LAN. And it’s often configured to be easygoing in order not to get in the way of the user. But it is not an independent entity, since it runs on the same machine that it is protecting. If that computer gets compromised for example, so is the personal firewall. A dedicated firewall however runs on a dedicated and secure machine, one where there is no user software installed that could interfere with it. And at a different location, it filters traffic between network segments, so it might be physically at some network interconnect. There are lots of different ways to do it, and people apply things in different ways. Such a firewall might not be able to entirely protect you or stop malicious activity spread within the attached network at all. And of course you need the correct policy and type in the rules that allow people at the company to be able to work, but inhibit everything else. Perfection is more a theoretical concept here and nothing that can be achieved in reality.

[isolating the cheap chinese consumer electronics] As in blocking or restricting their communication with the rest of the lan in the router’s firewall, for example?

Yes, you’d need to separate them from the rest of the network so your router gets in-between of them. Lots of wifi routers can open an additional guest network, or do several independent WiFis. For cables there is VLAN. For example: You configure 4 independent networks, get your computers on one network, your IoT devices on another network, your TV and NAS storage on a third and your guests and visitors on yet another. You tell your router the IoT devices can’t be messed with by guests and they can only connect to their respective update servers on the internet and your smarthome. Your guests can only connect to the internet but not to your other devices or each other. The TV is blocked from sending your behavior tracking data to arbitrary companies, it can only access your NAS and update servers. The devices you trust go on the network that is easygoing with the restrictions. You can make it arbitrarily complex or easy. This would be configured with the firewall of the router.

But an approach like this isn’t perfect by any means. The IoT devices can still mess with each other. Everything is a hassle to set up. And the WiFi is a single point of failure. If there are any security vulnerabilities in the WiFi stack of the router, attackers are probably just as likely to get into the guest wifi as they’d get into your secured wifi. And then the whole setup and separating things was an exercise in futility.

would you be able to provide an example of how this [use a conventional firewall (or a VPN) to restrict access to that software to trusted users only] could be implemented? It’s not immediately clear to me exactly what you are referring to when combining “user” with network related topics.

I mean something like: You have a network drive that you use to upload your vacation pictures to in case your camera/phone gets stolen. You can now immediately block everyone from all countries except from France, since you’re traveling there. This would be kind of a crude example but alike what we sometimes do with our credit cards. You can also set up a VPN that connects specifically you to your home-network or services. Your Nextcloud server can’t be reached or hacked from the internet, unless you also have the VPN credentials to connect to it in the first place. You obviously need some means of mapping the concept ‘user’ to something that is distinguishable from a network perspective. If you know in advance what IP addresses you’re going to use to connect, this is easy. If you don’t, you have to use something like a VPN to accomplish that, make just your phone be able to dial in to your home network. (Or compromise, like in the France example.)

Thank you for pointing out that my arguments don’t necessarily apply to reality. Sometimes I answer questions too direct. And the question wasn’t “should I use a firewall” or I would have answered with “probably yes.”

I think I have to make a few slight corrections: I think we use the word “timing attack” differently. To me a timing attack is something that relies on the exact order or interval/distance packets arrive at. I was thinking of something like TOR does where it shuffles around packets, waits for a few milliseconds, merges them or maybe blows them up so they all have the same size. Brute forcing something isn’t exploiting the exact time where a certain packet arrives, it’s just sending many of them and the other side lets the attacker try an indefinite amount of passwords. But I wouldn’t put that in the same category with timing attacks.

Firewall vs MySQL: I don’t think that is a valid comparison. The firewall doesn’t necessarily look into the packets and detect that someone is running a SQL injection. Both do a very different job. And if the firewall doesn’t do deep-packet-inspection or rate limiting or something, it just forwards the attack to the service and it passes through anyways. And MySQL probably isn’t a good example since it rarely should be exposed to the internet in the first place. I’ve configured MariaDB just to listen on the internal interface and not to packets from other computers. Additionally I didn’t open the port in the firewall but MariaDB doesn’t listen on that interface anyways. Maybe a better comparison would be a webserver with https. The firewall can’t look into the packets because it’s encrypted traffic. It can’t tell apart an attack from a legitimate request and just forwards them to the webserver. Now it’s the same with or without a firewall. Or you terminate the encrypted traffic at the firewall, do packet inspection or complicated heuristics. But that shifts the complexity (including potential security vulberabilities in complex code) from the webserver to the firewall. And it’s a niche setup that also isn’t well tested. And you need to predict the attacks. If your software has known vulnerabilities that won’t get fixed, this is a valid approach. But you can’t know future attacks.

Having a return channel from the webserver/software to the firewall so the application can report an attack and order the firewall to block the traffic is a good thing. That’s what fail2ban is for. I think it should be included by default wherever possible.

I think there is no way around using well-written software if you expose it to the internet (like a webserver or a service that is used by other people.) If it doesn’t need to be exposed to the internet, don’t do it. Any means of assuring that are alright. For crappy software that is exposed and needs to be exposed, a firewall doesn’t do much. The correct tools for that are virtualization, containers, VPNs, and replacing that software… Maybe also the firewall if it can tell apart good and bad actors by some means. But most of the time that’s impossible for the firewall to tell.

I agree. You absolutely need to do something about security if you run services on the internet. I do and have ran a few services. And especially webserver-logs (especially if you have a wordpress install or some other commonly attacked CMS), SSH and Voice-over-IP servers get bombarded with automated attacks. Same for Remote-Desktop, Windows-Networkshares and IoT devices. If I disable fail2ban, the attackers ramp up the traffic and I can see attacks scroll through the logfiles all day.

I think a good approach is:

1. Choose safe passwords and keys.
2. Don’t allow people to brute-force your login credentials.
3. If you don’t need a service, deactivate it entirely and remove the software.
4. If you just need a service internally, don’t expose it to the internet. A firewall will help, and most software I use can be configured to either listen on external requests or don’t do it. Also configure your software to just listen on/to localhost (127.0.0.1). Or just the LAN that contains the other things that tie into it. Doing it at two distinct layers helps if you make mistakes or something happens by accident or complexity or security vulnerabilities arise. (Or you’re not in complete control of everything and every possibility.)
5. If only some people need a service, either make it as secure as a public service or hide it behind a VPN.
6. Perimeter security isn’t the answer to everything. The subject is complex and we have to look at the context. Generally it adds, though.
7. If you run a public service, do it right. Follow state of the art security practices. It’s always complicated and depends on your setup and your attackers. There are entire books written about it, people dedicate their whole career to it. For every specific piece of software and combination, there are best practices and specific methods to follow and implement. Lots of things aren’t obvious.
8. Do updates and backups.

The problem is when you expose your server to the entire internet. It only takes a few minutes for the bots to find you.

Honestly you should use a mesh VPN instead.