I’ve been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I’ve been meaning to get UFW on it but I’ve been too lazy to do so. Is it a necessary thing that I need to have or it’s a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I’d say my server’s pretty secure but not the furthest I could take it. Opinions please?
You must log in or register to comment.
Disclaimer, I’m not a network professional im only learning. But you dont need ufw since your router firewall should be able to filter majority of the traffic. But in security there is a concept of layers. You want your router firewall then your device firewall to provide multiple layers incase something slips through one layer.
So to give a simple answer, it depends how secure you want your network to be. Personally I think UFW is easy so you may as well set it up. 5sec of config might stop a hacker traversing your network hoping from device to device.
This is the best answer. Your router protects you from the outside, but a local firewall can protect you from someone prodding your lan from a hacked camera or some other IoT device. By having a firewall locally you just minimize the attack surface further.
it depends how secure you want your network to be. Personally I think UFW is easy so you may as well set it up
IMO this attitude is problematic. It encourages people (especially newbies) to think they can’t trust anything, that software is by nature unreliable. I was one of those people once.
Personally, now I understand better how these things work, there’s no way I’m wasting my time putting up multiple firewalls. The router already has a firewall. Next.
PS: Sure, people don’t like this take - you can never have enough security, right? But take account of who you’re talking to - OP didn’t understand that their server is not even on the public internet. That fact makes all the difference here.
I like to run ufw on all my machines but I’m also a tinfoil-hat wearing wacko who believes that no computer should ever really be trusted. Just trusted enough to do specific tasks.
If someone somehow busts into one of my VLANs, at least the other machines on that net will still have some sort of protection.
IMHO, security measures are necessary. I have a tendency to go a bit heavy on security because I really hate having to mop up after a breach. So the more layers I have, the better I feel. Most of the breaches I’ve experienced were not some dude in a smokey, dimly lit room, wearing a hoody, and clacking away at a keyboard, while confidently announcing ‘I’m In!’ or ‘Enhance!’. Most are bots by the thousands. The bots are pretty sophisticated now days. They can scan vulnerabilities, attack surfaces, et al. They have an affinity for xmrig too, tho those are easy to spot when your server pegs all resources.
So, for the couple days investment of implementing a good, layered security defense, and then the time it takes to monitor such defenses, is worth it to me, and lets me sleep better. To each their own. Not only are breaches a pain in the ass, they have serious ramifications and can have legal consequences such as in a case where your server became a hapless zombie and was orchestrated to attack other servers. So, even on the selfhosted side of things, security measures are required, I would think.
It takes about 5 minutes to set up UFW which would be the absolute minimum, I would think.
If it is just you on your server and the only access from outside your network is SSHing in front the VPN? You’re good. Especially if it’s just you on your network/VPN.
If there are services that others utilize, you need a firewall. Can’t trust other people’s devices to not drag in malware.
In your case: no need for a fw if you can trust your local network.
Generally: services can have bugs - reverse proxy them. Not everybody needs to access the service - limit access with a firewall. Limit brute-force/ word-list attempts - MFA / fail2ban.
Is it directly exposed over the Internet? If you only port forward the VPN on your router, I wouldn’t worry about it unless you’re worried about someone else already on your LAN.
And even then, it’s really more like an extra layer of security against accidentally running something exposed publicly that you didn’t intend to, or maybe you want some services to only be accessible via a particular private interface. You don’t need a firewall if you have nothing to filter in the first place.
A machine without a firewall that doesn’t have any open port behave practically the same from a security standpoint: nothing’s gonna happen. The only difference is the port showing as closed vs filtered in nmap, and the server refusing to send any response not even a rejection, but that’s it.
No
If it’s just one server you probably already use a firewall on the server.
That depends. If you have exposed services, you could use some features of the firewall to geoip restrict incoming requests to prevent spam from China and Russia and whatnot.
If you don’t have any services running on a publicly accessible port, then what would the firewall protect?
I can recommend cockpit for managing the firewall
You have a firewall. It’s in your router, and it is what makes it so that you have to VPN into the server. Otherwise the server would be accessible. NAT is, effectively, a firewall.
Should you add another layer, perhaps an IPS or deny-listing? Maybe it’s a good idea.
Op means, as they said, a firewall on the server itself.
NAT is, effectively, a firewall.
No it isn’t. Stop giving advice on edge security.
Are you saying that NAT isn’t effectively a firewall or that a NAT firewall isn’t effectively a firewall?
NAT simply maps IPS across subnet boundaries in such a way that upstream routing tables don’t need updating.
If you use destination NAT forward rules to facilitate specific destination port access, you are using a firewall.
What sort of isp supplied residential equipment doesn’t block inbound connections? Pedantically, you’re correct.
Assuming it’s not a 1-1 NAT it does make for a functional unidirectional firewall. Now, a pure router in the sense of simply offering a gateway to another subnet doesn’t do much, but the typical home router as most people think of it is creating a snat for multiple devices to reach out to the internet and without port forwarding effectively blocks off traffic from the outside in.
Assuming it’s not a 1-1 NAT it does make for a functional unidirectional firewall.
That’s like saying a router and firewall are the same thing. NAT appears to be a “firewall” because it’s usually deployed with one. NAT itself has no filtering functions the way you’re describing.
Now, a pure router in the sense of simply offering a gateway to another subnet
A “pure” router, as you put it, understands upstream subnets and routing tables. NAT does not, and is usually overlayed on top of an existing routing function.
You can set up NAT between two subnets as an experiment with no iptables and it will do its job.
In practice a stateful NAT is the same as a stateful Firewall. I’ve never heard of a NAT that isn’t a Firewall. A port forward is the same as a Firewall allow rule.
What you might call a stateful NAT is really a 1-1 NAT, anything going out picks up an IP and anything retuned to that IP is routed back to the single address behind the NAT. Most home users a many to one source nat so their internal devices pick up a routable IP and multiple connections to a given dest are tracked by a source port map to route return traffic to the appropriate internal host.
Basically yes to what you said, but a port forward technically is a route map inbound to a mapped IP. You could have an ACL or firewall rule to control access to the NAT but in itself the forward isn’t a true firewall allow.
Same basic result but if you trace a packet into a router without a port forward it’ll be dropped before egress rather than being truly blocked. I think where some of the contention lies is that routing between private nets you have something like:
0.0.0.0/0 > 192.168.1.1 10.0.0.0/8 > 192.168.2.1
The more specific route would send everything for 10.x to the .2 route and it would be relayed as the routing tables dictate from that device. So a NAT in that case isn’t a filter.
From a routable address to non-route 1918 address as most would have from outside in though you can’t make that jump without a map (forward) into the local subnet.
So maybe more appropriate to say a NAT ‘can’ act as a firewall, but only by virtue of losing the route rather than blocking it.
NAT in the sense used when people talk about at home is a source nat, or as we like to call it in the office space a hide address, everyone going to the adjacent net appears to be the same source IP and the system maintains a table of connections to correlate return traffic to.
The other direction though, if you where on that upstream net and tried to target traffic towards the SNAT address above the router has no idea where to send it to unless there’s a map to designate where incoming connections need to be sent on the other side of the NAT so it ends up being dropped. I suppose in theory it could try and send it to everyone in the local side net, but if you get multiple responses everything is going to get hosed up.
So from the perspective of session state initiation it can act as a firewall since without route maps it only will work from one side.
How is NAT not a firewall? Sure theoretically it isn’t but I’ve yet to see a implementation of NAT that doesn’t act as a Firewall
Because NAT acts as a firewall with a “default deny” policy for incoming packets, but no other rules. You cannot prevent a device on the private subnet side of a NAT from attempting to communicate with an “outside” ip with nat alone, nat doesnt understand the concepts of accept/deny/drop.
All nat does is rewrite address headers.
The machines behind a NAT box are not directly addressable because they have private IP addresses. Machines out on the general Internet cannot send IP packets to them directly. Instead, any packets will be sent to the address of the NAT box, and the NAT box looks at its records to see which outgoing packet an incoming packet is in reply to, to decide which internal address the packet should be forwarded to. If the packet is not in reply to an outgoing packet, there’s no matching record, and the NAT box discards the packet.
It’s a confused topic because for a lot of people, nat does essentially everything they want. As soon as you get into more complex networking where a routing table needs to be updated, or bidirectional fw rules, it becomes apparent why routing + fw + nat is the most common combo.
Just make sure you’re using public key authentication and you’re good
I’ll ask this question.
would you fuck without a condom at a hundred man orgy?
@GreenKnight23 @theselfhoster Yes. I wouldn’t even question it.
