Linux Format|March 2020
The phrase “Linux doesn’t need a firewall” is commonly voiced. And it’s true, in the sense that your desktop distribution will work just fine without one. The same is true for Windows, up to a point, yet it still ships with one enabled by default. And any hardened user of the Redmond-ian OS would frown at you if you turned it off without good reason. Why? Because it takes away a layer of security that probably wasn’t doing any harm in the first place.
The main difference, and the reason Linux users get away with no firewall, is that a standard desktop install isn’t running many services. So even if someone you didn’t trust could contact your machine, there are no listening ports to connect to. On Windows, a standard install will have at least file and printer-sharing (SMB, NetBIOS) services listening, and probably much more. There’s nothing inherently wrong with this – those services are firewalled after all – but even if they weren’t, many of them (by default) are only listening on the LAN, or even the local loopback address. However, if something went wrong and for some reason the filesharing service started listening on the 0.0.0.0 (all interfaces) address, without a firewall we’d be living dangerously. Not only could attackers see our shares, but they could leverage an exploit against the service.
Here we’ll discuss the ins and outs of filtering packets with iptables, nftables and the simpler ufw. We’ll dispel myths about the protections offered by home routers, and we’ll show you how to set up a simple firewall that doesn’t get in your way, doesn’t require any command-line jargon and will make your Linux install just that little bit safer.
On Linux we can display current connection information using the ss command, which replaces the old netstat command. This new command can tell you all kinds of things about ports, processes and sockets, and we’d encourage you to read the man pages to learn more. For now, to just see which TCP ports and UDP ports are listening, do:$ ss -tulp On a clean(ish) Ubuntu 18.04 install this returned:
(some rows and columns and things relating to IPv6 have been dropped for brevity and Effy’s sanity).
If you run this with sudo, you’ll also see an additional column detailing the actual process that’s listening. But there’s no way this would fit in this column, so take our word for it that these open ports concern systemd’s DNS resolver, NetworkManager, the CUPS print service, and Avahi (a network discovery protocol). We’ll also say that there’s nothing wrong with these services being as they are.
You can read up to 3 premium stories before you subscribe to Magzter GOLD
Log in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories and 5,000+ magazines
READ THE ENTIRE ISSUE