Hey there folks,

I’m trying to figure out how to configure my UFW, and I’m just not sure where to start. What can I do to see the intetnet traffic from individual apps so I can know what I might want to block? This is just my personal computer and I’m a total newbie to configuring firewalls so I’m just not sure how to go about it. Most online guides seem to assume one already knows what they want to block but I don’t even know how/where to monitor local traffic to figure out what I can/should consider blocking.

  • @[email protected]
    link
    fedilink
    English
    773 months ago

    You’ve got it backwards. A firewall blocks everything, then you open up the ports you want to use. A standard config would allow everything going out, and block everything coming in (unless you initiated that connection, then it is allowed).

    So the question you should be asking, is what services do you think you’re going to be running on your desktop that you plan to allow anyone on the internet to get to?

    • ffhein
      link
      123 months ago

      Not entirely clear but perhaps OP is talking about blocking unwanted outgoing reqjests? E.g. anti-features and such since they mention traffic from their apps.

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        Possibly? The way I read it, it sounded like OP wasn’t really even sure what a firewall does.

      • @[email protected]
        link
        fedilink
        English
        03 months ago

        Sure it CAN be configured, but the typical policy of firewalls is to start from a position of blocking everything. From what I’ve seen, on Linux the standard starting point is blocking all incoming and allowing all outgoing. On Windows the default seems to be blocking everything in both directions. Sure you could start with a policy of allowing everything and block only selected ports, but what good is that when you can’t predict what ports an attacker might come from?

        • Wingless
          link
          fedilink
          13 months ago

          @Shdwdrgn on Linux, the firewall with zero custom rules always allowed everything. did that change in very recent kernels? if that’s the case, I’d expect a lot of lost acces to remote servers

          • @[email protected]
            link
            fedilink
            English
            13 months ago

            Most of my experience is with iptables, but yeah, I think until you start adding rules nothing is implicitly denied? Once you enable a couple of initial rules then you should have good blocking from the outside while allowing internal traffic to connect freely. It doesn’t get in your way until you start using it, but then it doesn’t take much to get it going.

    • Possibly linux
      link
      fedilink
      English
      -53 months ago

      Please stop giving bad advise. The local firewall is not the same as the public firewall and nat on the router. Your comment is incredibly misleading. You can have no Firewall and the services will not be available publicly

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        What are you talking about? You’re assuming that every residential router is going to have some kind of firewall enabled by default (they don’t). Sure, if OP has a router that provides a basic firewall type service then it will likely block all incoming unauthorized traffic. However OP is specifically talking about a linux-based firewall and hasn’t specified if they have a router-based firewall service in place as well so we can only provide info on the firewall they specified. And if you look at UFW, the default configuration is to allow outgoing traffic and block all but a very few defined incoming ports.

        You’re also making the assumption that OP is using NAT, when that is not always the case for all ISPs. Some are really annoying with their setup in that they give a routable IP to the first computer that connects and don’t allow any other connections (I had that setup once with Comcast). In this case, you wouldn’t even need to define port-forwarding to get directly to OP’s computer – and any services they might be running. This particular scenario is especially dangerous for home computers and I really hope no legitimate ISP is still following a practice like this, however I don’t take anything for granted.

        Regardless of what other equipment OP has, UFW is going to provide FAR better defaults and configurability when compared to a residential router that is simply set up to create the fewest support calls to their ISP.

        • Possibly linux
          link
          fedilink
          English
          -23 months ago

          You know enough to be dangerous…

          Why would an ISP assign a public IP to a users device? That wouldn’t make any sense. IPs are rare and expensive so that wouldn’t waste it on you. Each customer gets one IP and that is shared for all devices via NAT.

          What your describing doesn’t make any sense

          • @[email protected]
            link
            fedilink
            English
            13 months ago

            You’re right, it doesn’t make any sense. And it didn’t make any sense at the time either. After setting up the router with a laptop, I moved the connection to the firewall but it refused to connect. When I finally got ahold of tech support they said the connection locks into the first machine that logs in and they had to release it so I could connect the new machine. And just like that the firewall was given a routable IP address and connected to the internet. Stupidest thing I ever heard of, but that’s how they were set up. Now this was around 15+ years ago and I would certainly hope nobody is doing that crap today, but apparently that was their brilliant method of limiting how many devices could get online at once.

            • Possibly linux
              link
              fedilink
              English
              03 months ago

              So some obscure thing you experienced 10 years ago is now the standard? I have been doing this a while and what you are describing is Franky crazy and I’ve never scene it outside of some business plans with bring your own device.

              • @[email protected]
                link
                fedilink
                English
                13 months ago

                Who said anything about it being standard? I said I know this CAN happen, and I said it was quite some time ago. We can only hope this insanity isn’t still in practice anywhere, but I learned long ago that expecting a corporation to NOT do foolish things will give me the same disappointing results as expecting money to come out of my ass. If there’s a manager involved, then something on the tech side is going to get fucked up in the name of saving a buck. Therefore I cannot just assume OP gets a normal NAT address, nor can I assume they have any other firewall type device between them and the internet. With limited data, the best I can do is try and provide some general information, hopefully encourage them to ask more questions or provide more specific information, and just hope they don’t have a ridiculously stupid ISP that makes things needlessly complicated.