h3ndrik

Lol, ~~one person~~ [Edit:] 4 people don't like your GNU mug. I do...

How would the firewall on one device prevent other devices from abusing the rest of the network?

Sure. I'm not exactly sure any more what I was trying to convey. I think I was going for the firewall as a means if perimeter security. Usually devices are just configured to allow access to devices from the same Local Access Network. This is the case for lots of consumer electronics (and some enterprises also rely on securing the perimeter, once you get in their internal network, you can exploit that.) My printer lets everyone print and scan, no password setup required while installing the drivers. The wifi smart plugs I use to turn on and off the mood light in the livingroom also per default accept everyone in the WiFi. And lots of security cameras also have no password on them or people don't change the default since they're the only ones able to connect to the home WiFi. This works, since usually there is a Wifi router that connects to the internet and also does NAT, which I'd argue is the same concept as a firewall that discards incoming connections. And while wifi protocols have/had vulnerabilities, it's fairly uncommon that people go wardriving or close to your house to crack the wifi password. However, since you mentioned mixing devices you trust and devices you don't trust... That can have bad consequences in a network setup like this. You either do it properly, or you need some other means to secure your stuff. That may be isolating the cheap chinese consumer electronic with god knows which bugs and spying tech from the rest of the network. And/or shielding the devices you can't set up a password on.

the only solution to it would be an application layer firewall like OpenSnitch, correct?

I don't think you can make an absolute statement in this case. It depends on the scenario, as it always does with security. If you have broken web software with known and unpatched vulnerabilities, a Web Application Firewall might filter out malicious requests. An Application Firewall if other software is susceptible to attacks or might become the attacker itself (I'm not entirely sure what they do.) But you might also be able to use a conventional firewall (or a VPN) to restrict access to that software to trusted users only. For example drop all packets if it's not you interacting with that piece of software. And you can also combine several measures.

resize2fs and lvreduce? I mean if you have used LVM... It's not easy, but doable without a reinstall. Yeah. the guides also tell people to make a backup first.

Ah, well I just learned about the existence of free vpn services. I'm going to use it to set up a free guest wifi, so the neighbors, guests (and I) can do whatever with it. But I also struggle with the setup. It's complicated to get the wireguard interface set up, the guest wifi isolated and set up the split routing and everything so the different wifis on the router forward the traffic over different services.

Fair enough. I got confused by their FAQ. They say Wireguard is supported on their free plan. But there is no config available with the keys, so you have to use their client to connect.

I recently registered an account and wanted to do something similar. Guess it isn't that easy then. Another possibility is to use protonvpn.com they also offer a free tier and you can connect any Wireguard client with that.

Or you switch protocols and use for example IKEv2 with strongswan or OpenVPN or whatever hide.me offers in addition to wireguard. I think gluetun also does OpenVPN. But hide.me isn't listed for some reason.

👍

I think you're fine with choosing Mint or whatever distribution you like.

I think something like gluetun is more suited than a whole OS.

But i don't know the specifics of hide.me

Thank you for pointing out that my arguments don't necessarily apply to reality. Sometimes I answer questions too direct. And the question wasn't "should I use a firewall" or I would have answered with "probably yes."

I think I have to make a few slight corrections: I think we use the word "timing attack" differently. To me a timing attack is something that relies on the exact order or interval/distance packets arrive at. I was thinking of something like TOR does where it shuffles around packets, waits for a few milliseconds, merges them or maybe blows them up so they all have the same size. Brute forcing something isn't exploiting the exact time where a certain packet arrives, it's just sending many of them and the other side lets the attacker try an indefinite amount of passwords. But I wouldn't put that in the same category with timing attacks.

Firewall vs MySQL: I don't think that is a valid comparison. The firewall doesn't necessarily look into the packets and detect that someone is running a SQL injection. Both do a very different job. And if the firewall doesn't do deep-packet-inspection or rate limiting or something, it just forwards the attack to the service and it passes through anyways. And MySQL probably isn't a good example since it rarely should be exposed to the internet in the first place. I've configured MariaDB just to listen on the internal interface and not to packets from other computers. Additionally I didn't open the port in the firewall but MariaDB doesn't listen on that interface anyways. Maybe a better comparison would be a webserver with https. The firewall can't look into the packets because it's encrypted traffic. It can't tell apart an attack from a legitimate request and just forwards them to the webserver. Now it's the same with or without a firewall. Or you terminate the encrypted traffic at the firewall, do packet inspection or complicated heuristics. But that shifts the complexity (including potential security vulberabilities in complex code) from the webserver to the firewall. And it's a niche setup that also isn't well tested. And you need to predict the attacks. If your software has known vulnerabilities that won't get fixed, this is a valid approach. But you can't know future attacks.

Having a return channel from the webserver/software to the firewall so the application can report an attack and order the firewall to block the traffic is a good thing. That's what fail2ban is for. I think it should be included by default wherever possible.

I think there is no way around using well-written software if you expose it to the internet (like a webserver or a service that is used by other people.) If it doesn't need to be exposed to the internet, don't do it. Any means of assuring that are alright. For crappy software that is exposed and needs to be exposed, a firewall doesn't do much. The correct tools for that are virtualization, containers, VPNs, and replacing that software... Maybe also the firewall if it can tell apart good and bad actors by some means. But most of the time that's impossible for the firewall to tell.

I agree. You absolutely need to do something about security if you run services on the internet. I do and have ran a few services. And especially webserver-logs (especially if you have a wordpress install or some other commonly attacked CMS), SSH and Voice-over-IP servers get bombarded with automated attacks. Same for Remote-Desktop, Windows-Networkshares and IoT devices. If I disable fail2ban, the attackers ramp up the traffic and I can see attacks scroll through the logfiles all day.

I think a good approach is:

Choose safe passwords and keys.
Don't allow people to brute-force your login credentials.
If you don't need a service, deactivate it entirely and remove the software.
If you just need a service internally, don't expose it to the internet. A firewall will help, and most software I use can be configured to either listen on external requests or don't do it. Also configure your software to just listen on/to localhost (127.0.0.1). Or just the LAN that contains the other things that tie into it. Doing it at two distinct layers helps if you make mistakes or something happens by accident or complexity or security vulnerabilities arise. (Or you're not in complete control of everything and every possibility.)
If only some people need a service, either make it as secure as a public service or hide it behind a VPN.
Perimeter security isn't the answer to everything. The subject is complex and we have to look at the context. Generally it adds, though.
If you run a public service, do it right. Follow state of the art security practices. It's always complicated and depends on your setup and your attackers. There are entire books written about it, people dedicate their whole career to it. For every specific piece of software and combination, there are best practices and specific methods to follow and implement. Lots of things aren't obvious.
Do updates and backups.

Sure, I didn't list what I meant by 'valid use-cases'. If it's just your private VPN or SSH endpoint, it's like blocking your bank card from being used abroad. It might backfire once you travel and forgot about it. But I think it's a valid use case. Ultimately it's not the countries you want to block but address ranges which get used by attackers. But security is complex, it may not be feasible to allow-list just the carriers you use to connect, or find a suitable blocklist.

I'd be happy if georestriction wasn't a thing and I could stream Doctor Who from the BBC and some news sites wouldn't refuse service to me because I live in the EU and they don't want to implement the GDPR.

But I agree, this is just a tool. And it can be used for good things and bad things.

I don't complain if the same tool is used to route my requests to a datacenter nearby.

Yeah, back when the war with Russia and the Ukraine started I've seen people post tutorials about how to block people in Russia from accessing their blog and self-hosted services. So just for political reasons. I don't think this makes the world a better place.

Same with countries where lots of attacks originate from. I think a better approach would be to block offending address ranges if possible, not directly block countries and all the people who live there.

I don't think something needs to directly promote bad behaviour. Sometimes just making it easy, is enough to warrant a disclaimer to think before applying it.

Sure, maybe I've worded things too factually and not differentiated between theory and practice. But,

"you know everything": I've said that. Configurations might change or you you don't pay enough attention: A firewall adds an extra layer of security. In practice people make mistakes and things are complex. In theory where everything is perfect, blocking an already closed port doesn't add anything.
"There are no bugs in the network stack": Same applies to the firewall. It also has a network stack and an operating system and it's connected to your private network. Depends on how crappy network stacks you're running and how the network stack of the firewall compares against that. Might even be the same as on my VPS where Linux runs a firewall and the services. So this isn't an argument alone, it depends.
Who migitates for timing attacks? I don't think this is included in the default setup of any of the commonly used firewalls.
"open ports you are not even aware of": You open ports then. And your software isn't doing what you think it does. We agree that this is a use-case for a firewall. that is what I was trying to convey with the previous argument no 5.

Regarding the summary: I don't think I want to advise people not to use a firewall. I thought this was a theoretical discussion about single arguments. And it's complicated and confusing anyways. Which firewall do you run? The default Windows firewall is a completely different thing and setup than nftables and a Linux server that closes everything and only opens ports you specifically allow. Next question: How do you configure it? And where do you even run it? On a seperate host? Do you always rent 2 VPS? Do you do only do perimeter security for your LAN network and run a single firewall? Do you additionally run firewalls on all the connected computers in the network? Does that replace the firewall in front of them? What other means of security protection did you implement? As we said a firewall won't necessarily protect against weak passwords and keys. And it might not be connected to the software that gets brute-forced and thus just forward the attack. In practice it's really complicated and it always depends on the exact context. It is good practice to not allow everything by default, but take the approach to block everything and explicitly configure exceptions like a firewall does. It's not the firewall but this concept behind it that helps.

You're right. If you don't open up ports on the machines, you don't need a firewall to drop the packages to ports that are closed and will drop the packets anyways. So you just need it if your software opens ports that shouldn't be available to the internet. Or you don't trust the software to handle things correctly. Or things might change and you or your users install additional software and forget about the consequences.

However, a firewall does other things. For example forwarding traffic. Or in conjunction with fail2ban: blocking people who try to guess ssh passwords and connect to your server multiple times a second.

Edit:

“It’s just good security practice.” => nearly every time I've heard that people followed up with silly recommendations or were selling snake-oil.
“You [just] need it if you are running a server.” => I'd say it's more like the opposite. A server is much more of a controlled environment than lets say a home network with random devices and people installing random stuff.
“You need it if you don’t trust the other devices on the network.” => True, I could for example switch on and off your smarthome lights or disable the alarm and burgle your home. Or print 500 pages.
“You need it if you are not behind a NAT.” => Common fallacy, If A then B doesn't mean If B then A. Truth is, if you have a NAT, it does some of the jobs a firewall does. (Dropping incoming traffic.)
“You need it if you don’t trust the software running on your computer.” => True

Mmh. We should use georestriction with caution. Ultimatly the internet was made to connect people. And blocking people based on their origin is an attack on freedom and equality. There are valid use-cases, though. Just don't take it lightly.

For Mint you could maybe repurpose the Debian instructions (install the firmware-iwlwifi package): https://wiki.debian.org/InstallingDebianOn/Dell/Latitude7490

But I guess it's a weird issue since Intel cards are usually well supported. So are most Dell laptops in general. My usual approach is to type in something like "wiki linux dell 7480" into google. There are very little specific info around which leads me to believe everything usually works out of the box.

In case the thing with the button holding and power cord doesn't work, check your BIOS settings if it's disabled somewhere and then check the logfiles. "dmesg" and the boot output might contain the exact issue.

I think opening a tunnel and forwarding the port through it and opening a port forward directly have about the same security implications. Both end up opening the same port and forwarding the same packets to the same computer. The only difference is with a tunnel there is an extra step in between that slows things down. In some edge cases it may be nice if people can't directly see your IP but just the one from the tunnel. But that doesn't matter if it's only for you and your friends. Might be a concern though if you're a big live-streamer and fear people DDoSing you. But then there are better alternatives. (for example paying $8 a month for a small VPS.) So I think a tunnel makes perfect sense if you can't get the port forward running. It just doesn't add anything to security.

Cloudflare might be a different deal though. They include DDoS protection and filter some attacks. I don't like cloudflare so I don't really know the specifics. I think it's bad for the internet that a good share of the overall traffic is tunneled over a single company's servers. And I myself don't need a middleman in my own services. But they certainly must have something to offer or they wouldn't be as popular as they are...

Sorry, 10.x.x.x is a private IP address range. That can't be reached from the internet.

Maybe try one of the services that display your IP like https://www.showmyip.com/ or the one mentioned earlier: canyouseeme.org , that one also shows your IP.

I have little info to work on. There are many different providers around the world with very different setups. Some are suitable for port forwarding, some arent. (You could sit behind a Carrier Grade NAT, which makes port forward difficult to impossible.) But you need to figure out your IP first.

All I can say, I run something like you describe... Nextcloud, a reverse proxy and a few other services. I did some port forwards, got a domain that points to my IP and it works fine.

Edit: I use YunoHost on my computer. Its a Linux distribution for selfhosting. I think its a good choice to get your feet warm or if you want a low maintenance setup. It includes Nextcloud and many other services.

But you have to figure out how to access your computer from outside. Either you get your IP and the port forward running, or you have to use a service like pagekite.net or you get a VPN running like almost everyone else here wants to convince you to use. I don't think a VPN is a good idea except if you only want to use it by yourself and not use all the collaborative features of nextcloud.

How have you tested this? You need to use the external IP address of your router (public ip) to open it. And you need to test that from another internet connection. Also make sure the browser is actually trying to open an http connection to port 80. Some modern browsers / addons try to prefer https on port 443 instead and that wouldn't be reachable. Does a ping work? What's the exact error message? The port forward could be wrong. Needs to be port 80 (TCP) towards the internal device where nextcloud runs, to the port where it runs on that machine (could be 80, too). It could also be blocked by your provider, or your specific provider doesn't allow port forwards. Or you ran into issues with the shift to IPv6 addresses. Maybe your provider has some strange setup. Try if you can ping your router from external first. And try the canyouseeme.org mentioned in the other comment. That's good advice.

There are also heavy mats available in the hardware store, to put your washing machine on.

Let me scroll through your phone, see if there are some nice pictures or chats, the google search history, browser history... Uuh what's that Lovense Buttplug App for? Do you have any medical conditions or mental health struggles? How do you approach people on Tinder? What's your salary?

h3ndrik

@ h3ndrik @feddit.de

Posts

3
Comments

218
Joined

3 yr. ago

h3ndrik

I'm happy and I'd like to share my new GNU's mug with you guys. Long life to Lemmyverse

When do I actually need a firewall?

I made a mistake RESOLVED

I made a mistake RESOLVED

How do I create a docker container with custom programs inside?

How do I create a docker container with custom programs inside?

Breaking Windows to let the penguin in...

How do I create a docker container with custom programs inside?

When do I actually need a firewall?

Firewall: pvxe/nftables-geoip - filtered list of countries

Firewall: pvxe/nftables-geoip - filtered list of countries

When do I actually need a firewall?

When do I actually need a firewall?

Firewall: pvxe/nftables-geoip - filtered list of countries

Linux Newbie - Curiosity

how to access nextcloud outside LAN?

how to access nextcloud outside LAN?

how to access nextcloud outside LAN?

Protecting HDDs from (external) train vibrations

It hurts all over