Which Firewall do you use ?

[linux_rules]

I am using pfsense. I must say its a great product.

Which Firewall do you use ?

[Pjotr]

Simply ufw of course. I like uncomplicated and effective. Fire and forget.

[Moem]

UFW with GUFW as a GUI, not that I ever need to tinker with it. It's 'set it and forget it'.
What's so nice about pfsense? I mean, why do you prefer it?

[linux_rules]

I too use ufw on my desktop.

@Moem

The fact is security is effective when a multi layered approach is taken.

pfsense is my first layer of defense and ufw the second layer.

Pfsense offers a GUI (web interface) with a lot of fine grained control.

[Moem]

The fact is: if one firewall is effective, adding an extra one does not add any security. It's like having two roofs: if the outer roof doesn't leak, the second one is not doing anything.

[linux_rules]

@Moem

Yes you are totally correct but then why do people use routers ?

Other than sharing the connection all routers have in built firewall.

The problem with commercial home routers is that the manufacturers

abandon their products within a couple of years and no longer provide

firmware upgrades which makes them weak security wise. Pfsense on the

other hand provides security patches forever. If your hardware fails thats

altogether a different story.

[linux_rules]

Please read this

https://www.pcper.com/reviews/General-T ... Insecurity

[kukamuumuka]

None or UFW

[linux_rules]

None or UFW

You must be using a router. If you dont mind mention your router brand and model.

[dark]

Check OpenSnitch. https://github.com/evilsocket/opensnitch

[kukamuumuka]

None or UFW

You must be using a router. If you dont mind mention your router brand and model.

Not always.
https://www.grc.com/x/ne.dll?rh1dkyd2

[linux_rules]

Check OpenSnitch. https://github.com/evilsocket/opensnitch

Very interesting. Thanks for sharing.

[majpooper]

Please read this

https://www.pcper.com/reviews/General-T ... Insecurity

I agree with you in principle - but if is not in the linux mint repositories then it isn't really secure.

The military definition of "defense in depth" is
". . . mutually supporting defense positions designed to absorb and progressively weaken attack [and to] prevent initial observations of the whole position by the enemy. . . . "
Makes sense for computers and computr networks as well.

I am a huge Steve Gibson fan and listen to his pod-cast Security Now every week. I have in fact installed the Three-Router-Solution. The home router is in the estimation of many so called security experts is the weak link in most home networks.

On the other hand to ensure security of my system/network I never install any application that is not in the linux mint repositories - this is a hard and fast rule for me. And yes I know for certain there are some trusted sites that knowledgeable linux gurus are aware of and utilize even set up PPAs and live happily ever after - but unless you absolutely understand the inter-workings of the app, know the developers or at least know who they are then going outside the linux mint repositories is ill advised. Certainly I would not personally install anything from sites such GitHub.

It is not just that you could be installing malicious software on your system the other concern is when you put something on your system that is not native or from outside the approved repositories and has access to much or all of your system that software can be ripe for exploits. That is why AV software is so dangerous - it has admin/root privileges - if an exploit is found then the hacker has full access to your system - and this unfortunately has happened way more than the developers of such software would like to admit.

[linux_rules]

Please read this

https://www.pcper.com/reviews/General-T ... Insecurity

I agree with you in principle - but if is not in the linux mint repositories then it isn't really secure.

The military definition of "defense in depth" is
". . . mutually supporting defense positions designed to absorb and progressively weaken attack [and to] prevent initial observations of the whole position by the enemy. . . . "
Makes sense for computers and computr networks as well.

I am a huge Steve Gibson fan and listen to his pod-cast Security Now every week. I have in fact installed the Three-Router-Solution. The home router is in the estimation of many so called security experts is the weak link in most home networks.

On the other hand to ensure security of my system/network I never install any application that is not in the linux mint repositories - this is a hard and fast rule for me. And yes I know for certain there are some trusted sites that knowledgeable linux gurus are aware of and utilize even set up PPAs and live happily ever after - but unless you absolutely understand the inter-workings of the app, know the developers or at least know who they are then going outside the linux mint repositories is ill advised. Certainly I would not personally install anything from sites such GitHub.

It is not just that you could be installing malicious software on your system the other concern is when you put something on your system that is not native or from outside the approved repositories and has access to much or all of your system that software can be ripe for exploits. That is why AV software is so dangerous - it has admin/root privileges - if an exploit is found then the hacker has full access to your system - and this unfortunately has happened way more than the developers of such software would like to admit.

I agree with you 100% but which application do you think I have installed from outside the Mint repos?

If you mean pfsense it is a completely separate firewall distro based on FreeBSD. It is a highly secure and well known product.

I don't install anything outside the official repos.

Thanks for your reply.

[stephanieswitzer]

I use a Firewall that's installed on my Synology RT2600ac router. It's System wide covers both HTTP and HTTPS. I also have "Express VPN" installed on the router. Works very well and I'm pleased with it's performance.

Like majpooper I only install apps from the Mint repositories. I also use "Dashlane" password manager system wide. A great system that syncs passwords between all my Apple/Mac devices and Linux systems. I recently generated a this PW just for shits and giggles, it would take a while to crack:

Code: Select all

%#$::><,.}{[-)*\|=+!`

[AZgl1800]

Dashlane is good, put it on a friend's computer.

I have used LastPass for 20+ years with good results, likewise, any computer can use it.

[Cosmo.]

The fact is security is effective when a multi layered approach is taken.

The problem is, that using 2 personal firewall in the same system can introduce stability issues and in case, that one of the them has a security flaw, this can affect also the other firewall. Every firewall runs with elevated rights and they use necessarily the same kernel. If one of them has a leak, the system has this leak. (If there is no leak, the second firewall can in best case do nothing better than the first.)

Quite obviously configuring 2 firewalls is more complicated and bears much more potential for mistakes than only one. Not only can this disturb the needed network connection; possibly the users does in consequence a configuration mistake, which can destroy the purpose of the firewall completely.

A router firewall is quiet a different thing, because it runs on a different physical system. Leaks in one place cannot affect the other one. If a hardware firewall (router) i no longer safe, because abandoned, you need to replace it. A second software firewall is the wrong and also dangerous measurement..

[Fred Barclay]

The fact is security is effective when a multi layered approach is taken.

The problem is, that using 2 personal firewall in the same system can introduce stability issues and in case, that one of the them has a security flaw, this can affect also the other firewall. Every firewall runs with elevated rights and they use necessarily the same kernel. If one of them has a leak, the system has this leak. (If there is no leak, the second firewall can in best case do nothing better than the first.)

I'm all for multi-layer security, but I rather agree with Cosmo. I believe that having two firewalls on the same machine is asking for trouble.

If you want multiple firewalls, maybe use a dedicated hardware firewall, install the other firewall on your machine, and route all your network through the dedicated machine? That way you get two firewalls (or three, if you use a decent router).

[majpooper]

OK I see the confusion - pfsense is not a firewall that one installs on a linux mint computer. Or at least one should not. Alhough I see where there are instructions to do so using a VM which seems like a really bad idea. It looks to me that pfsense is a firewall on a separate hardware platform (you can buy it preloaded on their hardware or load it on your own) which can add security in depth. In effect it looks like a router firewall or even a router behind a router firewall I suppose.

So sure, OK if you want to spend the $$$

[kukamuumuka]

In linuxes has no open ports by default, so firewall is unnecessary for desktop user.

Code: Select all

sudo ufw status
netstat -lnptu