True, I could for example switch on and off your smarthome lights or disable the alarm and burgle your home. Or print 500 pages.

How would the firewall on one device prevent other devices from abusing the rest of the network? Perhaps you misunderstood the original intent of my post. I certainly wouldn’t blame you if that is the case, though – when I made my post I was far too vague in my intent – perhaps I simply didn’t think through my question enough, but the more likely answer is that I simply wasn’t knowledgeable enough on the topic to accurately pose the question that I wanted to ask.

Common fallacy, If A then B doesn’t mean If B then A. Truth is, if you have a NAT, it does some of the jobs a firewall does. (Dropping incoming traffic.)

Fair point!

“You need it if you don’t trust the software running on your computer.” => True

For this, though, the only solution to it would be an application layer firewall like OpenSnitch, correct?

I think I was going for the firewall as a means if perimeter security.

Are you referring to the firewall on the router?

it’s fairly uncommon that people go wardriving

Interesting. I hadn’t heard of this.

That may be isolating the cheap chinese consumer electronic with god knows which bugs and spying tech from the rest of the network.

As in blocking or restricting their communication with the rest of the lan in the router’s firewall, for example? Or, perhaps, putting them behind their own dedicated firewall (this is probably superfluous to the firewall in the router though).

But you might also be able to use a conventional firewall (or a VPN) to restrict access to that software to trusted users only

For clarity’s sake, would you be able to provide an example of how this could be implemented? It’s not immediately clear to me exactly what you are referring to when combining “user” with network related topics.

Enable access when you’re at your workplace but inhibit the Windows network share when you’re at the airport wifi.

How would something like this be normally accomplished? I know that Firewalld has the ability to select a zone based on the connection, but, if I understand correctly, I think this is decided by the Firewalld daemon, rather than the packet filtering firewall itself (e.g. nftables). I don’t think an application layer firewall would be able to differentiate networks, so I don’t think something like OpenSnitch would be able to control this, for example.

But an approach like this isn’t perfect by any means. The IoT devices can still mess with each other. Everything is a hassle to set up. And the WiFi is a single point of failure.

What would be a better alternative that you would suggest?

You can also set up a VPN that connects specifically you to your home-network or services. Your Nextcloud server can’t be reached or hacked from the internet, unless you also have the VPN credentials to connect to it in the first place.

The unfortunate thing about this – and I have encountered this personally – is that some networks may block VPN related traffic. You can take measures to attempt to obfuscate the VPN traffic from the network, but it is still a potential headache that could lock you out of using your service.

for example detect which network was connected to and re-configure the packet filter.

Firewalld is capable of this – it can switch zones depending on the current connection.

And while I think that is not a good argument at all, I feel protected enough by using the free software I do and roughly knowing how to use a computer. I don’t see a need to install a firewall just to feel better. Maybe that changes once my laptop is cluttered and I lose track of what software opens new ports.

There does still exist the risk of a vulnerability being pushed to whatever software that you use – this vulnerability would be essentially out of your control. This vulnerability could be used as a potential attack vector if all ports are available.

I’m currently learning about Web Application Firewalls. Maybe I’ll put ModSecurity in-front of my Nextcloud.

Interesting! I haven’t heard of this. Side note, out of curiosity, how did you go about installing your Nextcloud instance? Manual install? AIO? Snap?

I’m personally not a friend of that kind of legislation. If somebody uses my tools to commit a crime, I don’t think I should be held responsible for that.

It would be a rather difficult thing to prove – one could certainly just make the argument that you did, in that someone else that was on the guest network did something illegal. I would argue that it is most likely difficult to prove otherwise.

But this is a really difficult thing to protect from. If someone gets to push code on my computer that gets executed, I’m entirely out of luck. It could […] send data […].

Not necessarily. An application layer firewall, for example, could certainly get in the way of it trying to send data externally.

On the other hand it could happen not deliberately but just be vulnerable software.

Are you referring to a service leaving a port open that can be connected to from the network?

And then also run Lemmy, Matrix chat and a microblogging platform on it.

I’m definitely curious about the outcome of this – Matrix especially. Perhaps the new/alternative servers function a bit better now, but I’ve heard that, for synapse at least, Matrix can be very demanding on hardware to run (from what I’ve heard, the issues mostly arise when one joins a larger server).

You’re considered a “disruptor” and can be held responsible, especially to stop that “disruption”.

Interesting. Do you mean “held responsible” to simply stop the disruption, or “held responsible” for the actions of/damaged caused by the disruption?

If for example my Firefox were to be compromised and started not only talking to Firefox Sync to send the history to my phone, but also send my behavior and all the passwords I type in to a third party… How would the firewall know?

If it’s going to some undesirable domain, or IP, then you can block the request for that application. The exact capabilities of the application layer firewall certainly depend on the exact application layer firewall in question, but this is, at least, possible with OpenSnitch.

It’s just random outgoing encrypted traffic from its perspective.

For the actual content of the traffic, is this not the case with essentially all firewalls? They can’t see the content of te traffic if it is using TLS. You would need to somehow intercept the packet before it is encrypted on the device. I’m not aware of any firewall that has such a capability.

If you just click on ‘Allow’ there is no added benefit.

The exact level of fine-grain control heavily depends on the application layer firewall in question.

A maliciously crafted request or answer to your software can trigger it to fail and do something that it shouldn’t do.

Interesting.

I think now it’s just the first, plus they can ask for a fixed amount of money since by your negliect, you caused their lawyer to put in some effort.

I do, perhaps, somewhat understand this argument, but it still feels quite ridiculous to me.

You still running into trouble?

Yes.

Are you able to run ss -alnp as root?

I have already tried checking if something is listening on 53 in about 10 different ways. That command yields the same outcome as before — nothing appears to be listening on 53.

I use a script that shows new Arch news messages, updates the mirrorlist with the fastest mirrors in my country, updates repo packages, updates aur packages, then prints created .pacnew and .pacsave files as well as orphaned and dropped packages.

Would you mind sharing that script?

There’s already an issue open for this.

Ha, that username is apparently not allowed. They require that a username contain at least one letter.