Linux Format|March 2020

Protect yourself from whatever is the packet-based   equivalent of fire with Jonni Bidwell’s firewall primer.
Jonni Bidwell

The phrase “Linux doesn’t need a firewall” is commonly voiced. And it’s true, in the sense that your desktop distribution will work just fine without one. The same is true for Windows, up to a point, yet it still ships with one enabled by default. And any hardened user of the Redmond-ian OS would frown at you if you turned it off without good reason. Why? Because it takes away a layer of security that probably wasn’t doing any harm in the first place.

The main difference, and the reason Linux  users get away with no firewall, is that a  standard desktop install isn’t running many  services. So even if someone you didn’t trust  could contact your machine, there are no  listening ports to connect to. On Windows, a  standard install will have at least file and  printer-sharing (SMB, NetBIOS) services listening, and probably much more. There’s  nothing inherently wrong with this – those  services are firewalled after all – but even if  they weren’t, many of them (by default) are  only listening on the LAN, or even the local  loopback address. However, if something  went wrong and for some reason the filesharing service started listening on the (all interfaces) address, without a  firewall we’d be living dangerously. Not only  could attackers see our shares, but they  could leverage an exploit against the service.

Here we’ll discuss the ins and outs of  filtering packets with iptables, nftables and  the simpler ufw. We’ll dispel myths about the  protections offered by home routers, and  we’ll show you how to set up a simple firewall  that doesn’t get in your way, doesn’t require  any command-line jargon and will make your  Linux install just that little bit safer.

On Linux we can display current connection information using the ss command, which replaces the old netstat command. This new command can tell you all kinds of things about ports, processes and sockets, and we’d encourage you to read the man pages to learn more. For now, to just see which TCP ports and UDP ports are listening, do:$ ss -tulp On a clean(ish) Ubuntu 18.04 install this returned:

(some rows and columns and things relating to IPv6 have been dropped for brevity and Effy’s sanity).

If you run this with sudo, you’ll also see an additional column detailing the actual process that’s listening. But there’s no way this would fit in this column, so take our word for it that these open ports concern systemd’s DNS resolver, NetworkManager, the CUPS print service, and Avahi (a network discovery protocol). We’ll also say that there’s nothing wrong with these services being as they are.


You can read up to 3 premium stories before you subscribe to Magzter GOLD

Log in, if you are already a subscriber


Get unlimited access to thousands of curated premium stories and 5,000+ magazines


March 2020