Why is it even necessary to convince anybody that they need a firewall enabled on their Internet-facing computer – desktop or server? You would think that the role of a firewall should be obvious to any computer user. However, some of the comments that I have come across on this subject tell me that is not necessarily true.
Take for example this comment on the Chakra forum:
I’m also against firewall (how many people surf with a usb modem on linux, or disable router firewall??), but MAC to me is lame. What kind of porn site or what kind of script you should visit/run to get malware on linux? and since perhaps three guys in a thousand usually download and run script without reading it, should I have my computer bloated with these pieces of software? Seriously: how many time you ran amarok, or vlc and find an exploit blowing up your pc?
Or these from PCLinuxOS fanboys:
Just about all distros include a firewall but it is disabled by default. I don’t believe in the “one firewall configuration fits all” theory. My needs are different from yours. Include a firewall, place an icon somewhere easy to spot and let us do the rest.
The firewall was originally turned on, but the majority of users complained about it so the developers turned it off. Personally this should be left to each and every user to decide if they want it or not.
They prefer the Firewall icon on the desktop so they can configure it themselves based on their own personal needs.
What those comments reveal is that many in our community do not understand the basics of network security. I hope this short article will shed some light on the topic.
Central to this discussion is a fundamental understanding of the role a firewall plays in the overall security posture of a computer or computer system. In simple terms, a firewall protects a computer from network attacks. And there are host-based and network firewalls. A host-based firewall is the one running on and protecting a single device. That would be the one running on your personal computer, whether it be running a Linux, BSD or any other operating system.
On the other hand, a network firewall is the one running on a device on the edge or perimeter of a network. That device could be a router, switch or VPN device. Your cable, DSL or Fiber Optics router falls in this category. The mistake that most people make is in thinking that if they have a firewall on the edge device, then none is needed on the personal computer sitting behind it. Very bad thinking.
In a computer network, one open to access from the outside, best security practice calls for each node in the network to have a security posture of its own, one that works in concert with the perimeter firewall (and also with other security measures). The professional jargon for this practice is Security in-Depth. It is a layered approach to securing a network and this approach is not unique to the computing world. You can observe it anywhere you look. For example, assume that you live in a walled compound, do you leave your doors and windows unlocked simply because you have a fence around your home? Of course not. Or do you leave your car unlocked just because it is parked inside? Most likely not. The reasons are obvious.
The same thinking and principle should apply to your local network. Aside from a perimeter firewall, the one running on the device on the edge of your network, there should also be a host-based firewall, one running on your desktop, server, notebook or netbook computer. This layered approach ensures that if there is a breach in your perimeter defense, if somebody jumps the fence, that your computers are not left wide open to the intruder(s).
So, just because your computer is sitting behind a cable, DSL or fiber optics router with a firewall enabled does not negate the need for a host-based firewall. Security in-depth.
The best firewalls are capable of Stateful Inspection (or Stateful Packet Filtering), which dictates that all outbound connections are allowed, while all inbound connections that are not related to an outbound connection are blocked. That is, an inbound connecting that does not have a related entry in the state table is not allowed.
Some of the better Linux distributions, like Fedora, have a firewall enabled out of the box. That is the way it should be. And that is why I always comment on the security posture of any distribution reviewed on this website. It is that important. The Linux kernel has a firewall built-in (true also for the BSDs), and there are several graphical management interfaces for managing it. The least we expect from distro developers is to have it enabled out of the box.