Hey there folks,
I’m trying to figure out how to configure my UFW, and I’m just not sure where to start. What can I do to see the intetnet traffic from individual apps so I can know what I might want to block? This is just my personal computer and I’m a total newbie to configuring firewalls so I’m just not sure how to go about it. Most online guides seem to assume one already knows what they want to block but I don’t even know how/where to monitor local traffic to figure out what I can/should consider blocking.
In a nutshell,
-
Use wireshark
-
See if theres any weird connections going on (i.e you visit pancakes.com and wireshark shows unrelatedsite.com making a request as well)
-
Block unrelatedsite.com
“What about firewalls?”
Block from ports 1000 'till the very end (65565 if I’m not mistaken.) – that is your “bread and butter” approach.
“W-what if I’m using a port past 1000?”
Nah, you (very likely) aren’t and never will.
This is not great advise to say the least. You want to block all incoming but allow all outgoing.
Also visiting a https site will not magically ports. It uses 443/tcp and if you are using a site with WebRTC (used for calls on platforms like teams) ports 443/UDP and 50000-65535/UDP. However, there is no reason you need to know that unless you are in a professional field
You shouldn’t be touching it, honestly. There’s a firewall at your router. It should be responsible for blocking incoming traffic. Firewalls on individual machines are for servers where you know exactly what’s going in and out. I don’t have a firewall on my desktop or laptop.
You will spend the best years of your life chasing random network connections if you block everything by default.
I don’t have a firewall on my desktop or laptop
you are brave to use your laptop that way. or is it used as a stationary device?
but yes it is useful at home if you live with people who you don’t trust to be managing their computer safely
you are brave to use your laptop that way
why? I don’t connect it to untrusted networks
run sudo ss -tulpn
, and have a look at the processes and their privileges listening for incoming connections. If one of them has a vulnerability, through which a third party can make that software do things it was not intended for… that’s pretty bad.
This can most easily happen with software whose developers are underresouced/careless/stubborn.
A recent case of that happening: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
Tl;Dr, remote code execution vulnerability in software that most often runs as root, automatically.
You don’t need a firewall on a typical desktop computer. You only need them on routers and servers.
That is because your personal computer is not actually on the internet. It is on a local network (LAN) and it talks only to your router. The router is the computer connected to the internet, and it has a firewall.
The question highlights a classic misunderstanding about networking that IMO should be better addressed. I was like OP once, and panicking about this pointlessly.
Addendum: You’re all replying to OP as if they’re a sysadmin managing a public-facing server. But OP says clearly that they’re just a beginner on a PC - which will almost certainly be firewalled by their router. We should be encouraging and educating people like this, not terrorizing them about all the risks they’re taking.
I think you need a bit of Swiss cheese in your security philosophy. Relying only on your router’s firewall is a single point of failure. If it fails you are screwed. Relying on multiple layers means if one layer fails, another one might save you.
Well, screwed I will be, then. I’m not going to waste my life babysitting a bespoke firewall on my Ubuntu Desktop.
And it seems like a bad idea to be telling beginners on Ubuntu or Mint whatever that their “security philosophy is flawed” and they must imperatively run these 10 lines of mysterious code or else bad things will happen.
This whole discussion looks like a misunderstanding. OP is not a sysadmin on public-facing server. They are a beginner on a laptop at home.
I mostly agree with you, but given it’s a laptop that may not always be at home. It is wise to consider enabling the firewall when connecting to other untrusted networks like Starbucks
Unless your ISP provides IPv6 connectivity, which gives every endpoint a globally-routable address. Firewalling at the router only works because of NAT.
That’s why I wrote typical. The question was from a beginner, not a networking expert.
UFW
This is just my personal computer and I’m a newbie to configure firewalls
Leave it alone.
If you want to experiment, set up a VM and experiment there.
Also, if you want to learn about Linux firewalls, go for iptables instead. UFW is easier, yes, but you won’t get the standard way of configuring a Linux firewall, though to be honest, unless you are directly connecting the computer to the internet, you probably won’t need to bother.
And if you are working in an environment where you are dealing with a segmented network with limited access between segments, they will probably already use a separate firewall that is easier to manage centrally than induvidual firewalls running on individual computers
I think it’s fine to start with UFW on a desktop system at home to learn the very basics and get an idea on what ports you actually need. learning iptables/nftables is useful, but not necessary for a simple user at that level
Eh, I get what you mean but I disagree.
That is sort of saying that if someone want to learn Swedish, but since they don’t know any Swedish, it is better to start them on Norweigan first.
If UFW had used a similar syntax to that of iptables, then it would be a decent way of doing it, but in this example I disagree with you
That is sort of saying that if someone want to learn Swedish, but since they don’t know any Swedish, it is better to start them on Norweigan first.
nobody wants to learn Swedish here. they want to be understood in a community that knows both Swedish and Norwegian, and if Norwegian is easier, they can learn just that
If UFW had used a similar syntax to that of iptables, then
then it wouldn’t be Uncomplicated anymore
You’ve got it backwards. A firewall blocks everything, then you open up the ports you want to use. A standard config would allow everything going out, and block everything coming in (unless you initiated that connection, then it is allowed).
So the question you should be asking, is what services do you think you’re going to be running on your desktop that you plan to allow anyone on the internet to get to?
@Shdwdrgn @Cornflake_Dog false. a firewall can indeed have a default block everything policy, but this is still a configurable option
Sure it CAN be configured, but the typical policy of firewalls is to start from a position of blocking everything. From what I’ve seen, on Linux the standard starting point is blocking all incoming and allowing all outgoing. On Windows the default seems to be blocking everything in both directions. Sure you could start with a policy of allowing everything and block only selected ports, but what good is that when you can’t predict what ports an attacker might come from?
@Shdwdrgn on Linux, the firewall with zero custom rules always allowed everything. did that change in very recent kernels? if that’s the case, I’d expect a lot of lost acces to remote servers
Please stop giving bad advise. The local firewall is not the same as the public firewall and nat on the router. Your comment is incredibly misleading. You can have no Firewall and the services will not be available publicly
What are you talking about? You’re assuming that every residential router is going to have some kind of firewall enabled by default (they don’t). Sure, if OP has a router that provides a basic firewall type service then it will likely block all incoming unauthorized traffic. However OP is specifically talking about a linux-based firewall and hasn’t specified if they have a router-based firewall service in place as well so we can only provide info on the firewall they specified. And if you look at UFW, the default configuration is to allow outgoing traffic and block all but a very few defined incoming ports.
You’re also making the assumption that OP is using NAT, when that is not always the case for all ISPs. Some are really annoying with their setup in that they give a routable IP to the first computer that connects and don’t allow any other connections (I had that setup once with Comcast). In this case, you wouldn’t even need to define port-forwarding to get directly to OP’s computer – and any services they might be running. This particular scenario is especially dangerous for home computers and I really hope no legitimate ISP is still following a practice like this, however I don’t take anything for granted.
Regardless of what other equipment OP has, UFW is going to provide FAR better defaults and configurability when compared to a residential router that is simply set up to create the fewest support calls to their ISP.
You know enough to be dangerous…
Why would an ISP assign a public IP to a users device? That wouldn’t make any sense. IPs are rare and expensive so that wouldn’t waste it on you. Each customer gets one IP and that is shared for all devices via NAT.
What your describing doesn’t make any sense
I fail to see why this is bad advice. Sure you could just disable the firewall on your computer on a local network. But that’s under the assumption that you can trust everything on your local network. What if it’s a laptop? Do you also trust any public networks you may connect to on the go? Having firewall both on the router and on your computer provides an additional layer of security, and I think that’s good advice in general. You can for example set it up to only allow incoming connections when connected to your home network for example.
There is a difference between good practice and fear mongering. You aren’t going to lose it all because you didn’t turn on the Firewall.
Not entirely clear but perhaps OP is talking about blocking unwanted outgoing reqjests? E.g. anti-features and such since they mention traffic from their apps.