This week on Destination Linux, we’re going to discuss firewalls. Specifically, what the heck are they? Do you need to set one up? Does your distro have a default firewall and our favorite firewall software. Google is now a privacy ally…or at least that’s what they’re marketing. Later in the show, we’re going to discuss 0 A.D. and Steam Link enhancements for Linux. Plus we’ve also got our famous tips, tricks and software picks. All of this and so much more this week on Destination Linux. So whether you’re brand new to Linux and open source or a guru of sudo. This is the podcast for you.

Sponsored by: do.co/dln
Sponsored by: bitwarden.com/dln

Hosts of Destination Linux:

Ryan (DasGeek) = dasgeekcommunity.com
Michael Tunnell = tuxdigital.com
Jill Bryant = twitter.com/jill_linuxgirl
Noah Chelliah = asknoahshow.com

Want to Support the Show?

Support us on Patreon = https://destinationlinux.org/patreon
Support us on Sponsus = https://destinationlinux.org/sponsus
Destination Linux Network Store = http://dlnstore.com

Want to follow the show and hosts on social media?

You can find all of our social accounts at https://destinationlinux.org/contact

Segment Index

Comments

  1. I enjoyed the focus on firewalls and Noah’s detailed recommendation not to enable anything for web-facing until you know what you’re doing.

    I also very much agree with Jill’s assessment that Google’s claim they’re done tracking simply means they’ve found a more invasive way to spy, without having to tell you about it.

    More security/privacy chats, please!!

  2. I second that!

  3. Avatar for alex alex says:

    Good show today. I wanted to chip in to say that ufw is disabled by default on Ubuntu. See Security - Firewall | Ubuntu). The hosts seemed to think that Ubuntu had a firewall turned on unlike debian. I think the vast majority of Linux users won’t have a firewall turned on by default. (the docs I linked to are for Ubuntu server, but I’m 98% sure the same applies to the desktop).

    I’m also of the opinion that it doesn’t matter all that much for a typical desktop use case. These users don’t tend to run listening services like SSH or NFS. And if they do, then they will want the firewall to allow traffic. A firewall could allow a user to be more granular regarding who is able to connect, but if a user knows to configure this then they could easily enable UFW. I find firewalls to be great in between network segments, but its easy to overstate the importance of a host-based firewall.

    That said, I do think that turning on the firewall by default would be the right call for ubuntu.

    One more opinion: iptables is just as easy as ufw once you go beyond the most basic commands. For example, here is how I’d block my machine from talking to comcast’s DNS servers using ufw and iptables:

    ufw deny out to 75.75.75.0/24 port 53 proto udp
    iptables -A OUTPUT -p udp -d 75.75.75.0/24 --dport 53 -j DROP
    # (or with long options) 
    iptables --append OUTPUT --protocol udp --destination 75.75.75.0/24 --dport 53 --jump DROP
    

    Both commands take the same information. I struggle with ufw because I’ve found that the order of the words can be important. Whereas with iptables you can shuffle the options around as you please. Maybe it’s a stretch to say that iptables is just as easy but I really think its a close call. Plus its more powerfull. I’ve never tried a graphical UFW frontend though, maybe that would change my mind.

    Thanks for the show and for putting up with my unsolicited opinions!

  4. First, big welcome to the forum. Love to see an iptables fan here. I started with iptables on Debian and it was a lot of fun though a little cumbersome. :stuck_out_tongue:

    Commands have to be repeated twice using iptables and ip6tables to apply rules to both IPv4 and IPv6.

    Commands aren’t persistent so you need a package to handle that if you’re not rolling your own startup solution:

    sudo apt install iptables-persistent
    sudo systemctl enable netfilter-persistent.service
    

    Then whenever you make changes you need to run:

    sudo iptables-save > /etc/iptables/rules.v4
    sudo ip6tables-save > /etc/iptables/rules.v6
    

    I also ran into a problem with virt-manager because it’d dynamically add a bunch of iptables rules after boot so if I changed the iptables and saved them it’d include virt-manager’s dynamically added rules making them either duplicates or zombie rules on future reboots. To do edits I ended up having to disconnect the network, then run

    sudo iptables --flush && sudo ip6tables --flush
    

    Then add all my rules back in including my edits, then save and restart.

    I could have produced something a bit more elegant had I stuck with it but that’s how firewalld/ufw finally won me over.

  5. Thanks everyone for another interesting and entertaining show :slight_smile:

    As a Debian user I was a bit surprised too when I first learned not default firewall installed. Thanks for the reminder - need to switch it on after installation as well(!)

    Sorry to say, but I don’t trust Big Tech enough to believe them when it comes to privacy. I hope they’re being upfront but I doubt it. I’d rather not take the risk myself.

    When I was back at college anything that was networked was very likely to be using Unix (it was about the same time Linus was at college too) and Windows/DOS machines struggled to even access memory outside the basic 640K memory range, if I remember correctly, though I dread to think back… Yes, seeing the Crays “for-real” as it were, sounds pretty exciting!

    Zero-AD looks good - and the zero budget requirement suits my pocket too for now - ah well, lots of projects to donate to when able!

Continue the discussion at discourse.destinationlinux.network

2 more replies

Participants

Avatar for Ulfnic Avatar for MichaelTunnell Avatar for perkele Avatar for alex Avatar for marvkal Avatar for Eltuxo Avatar for ak2020