39

Do I need a firewall for my fedora 38?

I'm new to Linux, previously been on Windows where I used defender + Windows firewall. Now I'm on fedora which also have its firewall called firewalld. Are those sufficient, or do I need any other solutions for my security?

all 20 comments
sorted by: hot top controversial new old
[-] _cnt0@unilem.org 23 points 1 year ago

All the other comments kind of suggest otherwise, but I am pretty certain that fedora comes with firewalld enabled by default.

[-] Bitrot@lemmy.sdf.org 4 points 1 year ago

It is enabled, but the default FedoraWorkstation zone only blocks connections to ports below 1025.

[-] thayer@lemmy.ca 15 points 1 year ago* (last edited 1 year ago)

I treat all guests on the network as potentially hostile, so I enable firewalls on all of my hosts.

I believe that Fedora's firewall is enabled by default, but it leaves open ports 1025-65535/tcp and 1025-65535/udp.

To lock down some sane defaults:

sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
sudo firewall-cmd --reload

Verify allowed ports with:

sudo firewall-cmd --list-ports

See also:

PS: if you have a Steam Link, you'll want to open these ports for connectivity:

sudo firewall-cmd --permanent --add-port=27031/udp  # steam remote play
sudo firewall-cmd --permanent --add-port=27036/udp  # steam remote play
sudo firewall-cmd --permanent --add-port=27036/tcp  # steam remote play
sudo firewall-cmd --permanent --add-port=27037/tcp  # steam remote play
[-] GustavoM@lemmy.world 3 points 1 year ago

That is a really solid tip! Don't mind me if I yoink it.

[-] serratur@lemmy.wtf 2 points 1 year ago

You can also achieve this by setting up VLAN for guests

[-] gibson@sopuli.xyz 10 points 1 year ago* (last edited 1 year ago)

Its best to have some defence in depth. Ideally you would have a firewall on your network AND your local machine. If you are running a laptop definitely have a local firewall on that as you cannot trust random networks you connect to when out and about in the world.

firewalld is sufficient, i suggest learning its CLI as it is not super complicated. ufw is ok if you are allergic to command line.

[-] kevincox@lemmy.ml 7 points 1 year ago

Even without any firewall you should be fine by default. Access to ports with no services listening do nothing. Firewalls are just defense-in-depth in case a service that you didn't want to accidentally listens on a port. It may also slightly reduce kernel attack surface.

So I would say that you don't need it. You will be fine. But if you want to be sure about what is listening on your machine then feel free to apply one.

[-] moist_towelettes@lemm.ee 7 points 1 year ago* (last edited 1 year ago)

Unless your computer is exposed directly to the internet, your router's firewall should be enough. Fedora typically has SELinux and AppArmor enabled by default which should protect from something nasty executing on your machine.

Don't execute things as root if you don't know what it is and you should be fine.

[-] Caaaaarrrrlll@lemmy.ml 7 points 1 year ago* (last edited 1 year ago)

Fedora doesn't use AppArmor, it uses SELinux.

You normally only use SELinux or AppArmor, not both, since they are the same goal and purpose.

I would definitely keep firewalld and SELinux installed and enabled on any system unless there's a good reason not to.

[-] Shrexios@mastodon.social 1 points 1 year ago

@Caaaaarrrrlll @moist_towelettes you mean by default. Everything in Linux can be changed, so if you like AppArmor, you can use it.

[-] ReversalHatchery@beehaw.org 1 points 1 year ago

Fedora typically has SELinux and AppArmor enabled by default which should protect from something nasty executing on your machine.

That does not really work that way. Aside from what the other responder said, only a small set of programs are confined by these security solutions by default.

[-] BaalInvoker@lemmy.eco.br 7 points 1 year ago

You probably is protected by your routers firewall already. But if you want to keep it safe and use a firewall in your computer, you may install ufw or firewalld. The default config should be alright to your needs

[-] CaptainJack42@discuss.tchncs.de 3 points 1 year ago* (last edited 1 year ago)

Unless you mess around with firewall commands/settings you don't understand firewalld should be sufficient.

That being said you might have to allow certain services at some point (openvpn) for example

[-] LeTak@lemm.ee 3 points 1 year ago

I use portmaster on my fedora instance. I disabled blocking all from LAN and made a custom rule set to allow some devices and block all others.

[-] Harry_h0udini@lemmy.dbzer0.com -1 points 1 year ago* (last edited 1 year ago)

Uncomplicated Firewall is easy to setup and understand. It blocks traffic and allows it. Install UFW

sudo apt install ufw

My recommended(Chris Titus)

`sudo ufw limit 22/tcp

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

sudo ufw default deny incoming

sudo ufw default allow outgoing

sudo ufw enable`

Is this enough?

[-] zenharbinger@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

This is fedora, I would stick with firewalld.

sudo dnf install firewalld

sudo systemctl enable --now firewalld

sudo firewalld-cmd --add-service --permanent ssh

sudo firewalld-cmd --add-service --permanent https

sudo firewalld-cmd --add-service --permanent http

sudo systemctl restart firewalld

[-] NateNate60@lemmy.ml 1 points 1 year ago* (last edited 1 year ago)

Yes, it is enough. Generally, the default handling of connections on Linux is enough but having ufw can't hurt. Certain developer or server software may not work unless you add UFW exceptions for them. They don't know how to do this on their own.

By default, without a firewall, any program can communicate through any port it wants as long as it can bind that port. Ports that are special or low-numbered (e.g. TCP port 21 is reserved for FTP) require root to be bound. Otherwise, a program can bind any port that isn't already in use by something else. All incoming connections to a port that isn't bound will be refused and the information discarded.

Edit: Your router also usually has a firewall that is strong enough for most everyday purposes.

[-] GustavoM@lemmy.world -3 points 1 year ago

"That guy" here. I don't go "further" than setting everything up with firejail and then creating a mavclan port/connection pointing my main ip through it and then removing whatever is in my eth0 port/connection. All that with netctl.

"Does it work"? Well, whoever tries to scan my ip for open ports with nmap gets a nice and sweet "All ports are closed" message back. So eh... I'll be fine. :^)

this post was submitted on 29 Sep 2023
39 points (100.0% liked)

Linux

48335 readers
453 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS