Why your computer needs a firewall enabled

Why is it even necessary to convince anybody that they need a firewall enabled on their Internet-facing computer – desktop or server? You would think that the role of a firewall should be obvious to any computer user. However, some of the comments that I have come across on this subject tell me that is not necessarily true.

Take for example this comment on the Chakra forum:

I’m also against firewall (how many people surf with a usb modem on linux, or disable router firewall??), but MAC to me is lame. What kind of porn site or what kind of script you should visit/run to get malware on linux? and since perhaps three guys in a thousand usually download and run script without reading it, should I have my computer bloated with these pieces of software? Seriously: how many time you ran amarok, or vlc and find an exploit blowing up your pc?

Or these from PCLinuxOS fanboys:

Just about all distros include a firewall but it is disabled by default. I don’t believe in the “one firewall configuration fits all” theory. My needs are different from yours. Include a firewall, place an icon somewhere easy to spot and let us do the rest.

The firewall was originally turned on, but the majority of users complained about it so the developers turned it off. Personally this should be left to each and every user to decide if they want it or not.

They prefer the Firewall icon on the desktop so they can configure it themselves based on their own personal needs.

What those comments reveal is that many in our community do not understand the basics of network security. I hope this short article will shed some light on the topic.

Related Post:  Install Ubuntu 11.10 on external hard drive, with an ntfs partition at the end

Central to this discussion is a fundamental understanding of the role a firewall plays in the overall security posture of a computer or computer system. In simple terms, a firewall protects a computer from network attacks. And there are host-based and network firewalls. A host-based firewall is the one running on and protecting a single device. That would be the one running on your personal computer, whether it be running a Linux, BSD or any other operating system.

On the other hand, a network firewall is the one running on a device on the edge or perimeter of a network. That device could be a router, switch or VPN device. Your cable, DSL or Fiber Optics router falls in this category. The mistake that most people make is in thinking that if they have a firewall on the edge device, then none is needed on the personal computer sitting behind it. Very bad thinking.

In a computer network, one open to access from the outside, best security practice calls for each node in the network to have a security posture of its own, one that works in concert with the perimeter firewall (and also with other security measures). The professional jargon for this practice is Security in-Depth. It is a layered approach to securing a network and this approach is not unique to the computing world. You can observe it anywhere you look. For example, assume that you live in a walled compound, do you leave your doors and windows unlocked simply because you have a fence around your home? Of course not. Or do you leave your car unlocked just because it is parked inside? Most likely not. The reasons are obvious.

Related Post:  How does your encrypted Linux system respond to the Cryptsetup bug?

The same thinking and principle should apply to your local network. Aside from a perimeter firewall, the one running on the device on the edge of your network, there should also be a host-based firewall, one running on your desktop, server, notebook or netbook computer. This layered approach ensures that if there is a breach in your perimeter defense, if somebody jumps the fence, that your computers are not left wide open to the intruder(s).

So, just because your computer is sitting behind a cable, DSL or fiber optics router with a firewall enabled does not negate the need for a host-based firewall. Security in-depth.

The best firewalls are capable of Stateful Inspection (or Stateful Packet Filtering), which dictates that all outbound connections are allowed, while all inbound connections that are not related to an outbound connection are blocked. That is, an inbound connecting that does not have a related entry in the state table is not allowed.

Some of the better Linux distributions, like Fedora, have a firewall enabled out of the box. That is the way it should be. And that is why I always comment on the security posture of any distribution reviewed on this website. It is that important. The Linux kernel has a firewall built-in (true also for the BSDs), and there are several graphical management interfaces for managing it. The least we expect from distro developers is to have it enabled out of the box.


Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.

Upcoming events

34 Responses

  1. Not everyone is behind a network firewall, and not everyone knows what a firewall is. You may think these people should not be using computers, but they are and will be. They should have some protection until they learn enough to do it themselves.

    You can’t just think about yourself, you have to think about the computing public in general. Originally the windows firewall was off by default. When MS turned it on by default, infection rates went way down.

    I agree that every user’s needs are different. So if the default firewall doesn’t work for you, change it.

  2. This article is far from convincing. It makes sense to have several layers of security if you want to be absolutely certain nothing can come in, but what are the odds that something will breach into your network past a router that drops or denies every inbound connection attempt?

    Also if your computer isn’t running any server (not listening on any port), what could happen?

    In fact, that actually makes your two layers of security… (I guess Windows and Ubuntu probably have servers running most users aren’t aware of though…?)

    That leaves potential exploits but if iptables can be abused on my router then I guess it can be on my PC as well… Not to mention that I’m not running a secret defense project deserving that much attention, and spammers can attack Windows computer users with stupid HTML emails and smiley packs more easily than by hacking into peoples’ routers and Linux computers…

    That’s what I think anyway.

  3. I disagree with the notion that you need a firewall on the router AND on the computer because this somehow makes things more secure. By that thinking, it would be even better to run two or three firewalls on the system, wouldn’t it?

  4. I agree with having in-depth security. On the perimeter however, there is one case (at least) where all outbound connections should not be allowed. A good deal of spam originates from malware on a hosts that are not mail servers. It’s a simple matter to block all outbound smtp traffic that does not originate from a mail server (some ISPs presently do this on non-business customers). This not only helps to reduce spam (on the sending end, not incoming spam), it also helps to protect the edge IP address(es) from becoming blacklisted. Generally speaking, a good practice that network admins should follow (imo).

  5. I disagree. I see far more value in educating the wetware in best practices. I can’t tell you how many times I’ve reinstalled a windows machine that had current AV and a firewall running… you can’t protect against stupid with software, unfortunately.

    In contrast, I had a win98 machine, not SE, the original win98, installed “out of the box” from the OEM, with no antivirus or anti malware software on it. I also never updated it.

    But the children who used it knew the rules: no downloading, don’t go where you know you’re not supposed to be etc etc… it ran like new until the day the hardware finally died.

    The only protection it had, other than educated users, was that it was behind a smoothwall firewall on the perimeter.

    If I take any equipment outside a perimeter firewall, then absolutely, iptables goes up. But unless a particular user or set of users has proved themselves incapable of avoiding the social engineering, I usually leave firewalls off. Haven’t been stung by the practice, though admittedly I add “yet.” =)

    These days “noscript” (firefox) is more valuable than a simple incoming-blocking firewall…

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.


The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.