No, you don’t. But it’s also not necessarily a bad idea if it’s not going to create issues for you.
Normally, a software package that wants to talk over IP and only wants to let local software communicate with it can listen only on loopback addresses (like 127.0.0.1). But I have definitely seen software packages that have defaulted to listening to the world (gpsd used to do this by default, for example, which would let anyone in the world who could talk to your machine see precisely where you were). Having a firewall makes the default to be secure – you know that the default is not to be reachable, regardless of what some software author thinks is a good idea.
Most home systems these days are generally behind a NATting router, which effectively firewalls them against the outside world (though maybe IPv6 will change this), so they can’t be directly reached from the outside anyway, unless a user has set up port forwarding on the router, the systems are effectively firewalled anyway, unless an attacker can get inside the network somehow.
It’s one more thing that you’re going to have to remember to deal with if you’re installing software and troubleshooting network problems. You install software package X and it isn’t reachable, you’re going to have to figure out how to diagnose problems. As long as this isn’t a problem for you…shrugs
I don’t personally run firewalls on my desktops. But I have also, over the years, occasionally checked netstat -ntap and discovered that a service that I thought only listened locally was listening to the world, gpsd probably being the most-flagrant example.
If I were not behind a router, or if I were forwarding all ports to my system, I would be firewalling my desktop systems.
On a dedicated server, I’d be less worried, because I’m not normally installing tons of random software on the thing. If you aren’t going to firewall it, though, be sure that you’ve checked to see what is listening on the server.
For example on systems based on Debian (running myself) which simply enables networked services by default running a firewall is a total no brainer. Same is true for literally every Linux distribution with dependency management.
Especially if someone asks, it is a strong indicator this person should run a firewall.
No, you don’t. But it’s also not necessarily a bad idea if it’s not going to create issues for you.
Normally, a software package that wants to talk over IP and only wants to let local software communicate with it can listen only on loopback addresses (like 127.0.0.1). But I have definitely seen software packages that have defaulted to listening to the world (gpsd used to do this by default, for example, which would let anyone in the world who could talk to your machine see precisely where you were). Having a firewall makes the default to be secure – you know that the default is not to be reachable, regardless of what some software author thinks is a good idea.
Most home systems these days are generally behind a NATting router, which effectively firewalls them against the outside world (though maybe IPv6 will change this), so they can’t be directly reached from the outside anyway, unless a user has set up port forwarding on the router, the systems are effectively firewalled anyway, unless an attacker can get inside the network somehow.
It’s one more thing that you’re going to have to remember to deal with if you’re installing software and troubleshooting network problems. You install software package X and it isn’t reachable, you’re going to have to figure out how to diagnose problems. As long as this isn’t a problem for you…shrugs
I don’t personally run firewalls on my desktops. But I have also, over the years, occasionally checked
netstat -ntapand discovered that a service that I thought only listened locally was listening to the world, gpsd probably being the most-flagrant example.If I were not behind a router, or if I were forwarding all ports to my system, I would be firewalling my desktop systems.
On a dedicated server, I’d be less worried, because I’m not normally installing tons of random software on the thing. If you aren’t going to firewall it, though, be sure that you’ve checked to see what is listening on the server.
I strongly disagree.
For example on systems based on Debian (running myself) which simply enables networked services by default running a firewall is a total no brainer. Same is true for literally every Linux distribution with dependency management.
Especially if someone asks, it is a strong indicator this person should run a firewall.