Hey there folks,
I’m trying to figure out how to configure my UFW, and I’m just not sure where to start. What can I do to see the intetnet traffic from individual apps so I can know what I might want to block? This is just my personal computer and I’m a total newbie to configuring firewalls so I’m just not sure how to go about it. Most online guides seem to assume one already knows what they want to block but I don’t even know how/where to monitor local traffic to figure out what I can/should consider blocking.
By default it should be configured to allow all outgoing, and block all incoming. That’s perfectly fine for a desktop/laptop and you don’t need to mess with it.
You can’t really do that much outgoing filtering with a firewall that will be useful, because basically everything operates on port 80/443, and often connects to the same CDNs or datacenter IPs for multiple services.
Instead DNS blocking is a much more effective way to handle it, plus uBlock Origin in your browser.
Worth noting that if you’re trying to block telemetery or ads or things like that, using an adblocking dns is probably the better option. Either through a pihole on your network or some online adblocking dns.
Other than that, if you’re looking for one because you think you “need” one, don’t worry too much if it’s just a personal computer connected to a router. Most distros ship with sensible defaults for security.
If you actually want to use a firewall, block all incoming and allow all outgoing is a reasonable rule of thumb if you aren’t running a server. Note that “block incoming” doesn’t block connections that the system itself started.
This seems to be some of the most worthwhile advice. I do use a pretty reasonable DNS client (NextDNS) and it allows me to configure some useful filters and such, and when I’m browsing the internet I also use uBlock Origin and manually allow any third party content one by one.
I did configure UFW to block incoming and allow outgoing, and that should be more than enough for me. I think I’m a pretty “standard” user in the sense that I would make a fairly average target for a would-be attacker. It’s not like I own a web server with goodies worth exploiting.
A part of me really wants to learn more because at some point I’ll have my own router that I’ll want to ensure is configured properly because I’ll likely end up making my own server for media stuff.
Thank you for your reply!
Blocking incoming traffic and accepting outgoing traffic is usually the default for distributions anyway.
What can I do to see the intetnet traffic from individual apps
what I might want to block?
One strategy is to block everything, and open ports as needed. Beware that most guides focus on inbound traffic, whereas you seem to be focusing on outbound traffic.
wireshark does not work for individual apps, it cannot make a difference between traffic of process a and b.
You’ve got it backwards. A firewall blocks everything, then you open up the ports you want to use. A standard config would allow everything going out, and block everything coming in (unless you initiated that connection, then it is allowed).
So the question you should be asking, is what services do you think you’re going to be running on your desktop that you plan to allow anyone on the internet to get to?
no, not really. on linux that depends on the default policy of the corresponding chains, so it’s configurable. I don’t think all common distros default to reject either.
You should block everything, except the things you want to get through. A firewall (at least in Linux) blocks everything inbound by default.
A firewall (at least in Linux) blocks everything inbound by default.
are you sure? I thought that at least UFW allows through some common LAN services
A firewall by default blocks everything coming from outside going in (without being requested).
Firewalls can also block traffic going out from your PC to the internet. In a company where you need to protect against data exfiltration by employees, and as a last resort safeguard against malware communicating with outside servers, you want that. In that case, a security expert makes a detailed plan of all installed software, to determine what needs to connect from which internal IP to which external IP over which port. Then all other outbound traffic is blocked. This needs to be adjusted constantly, every time a new software is installed or an update changes a software’s requirements. It’s a full-time job.On a home PC running Linux, that’s absolute overkill. There are no untrusted users in your home and you’re probably not the target for a directed attack by skilled actors. So just leave ufw on default, which blocks all inbound traffic and allows all outbound.
UFW
This is just my personal computer and I’m a newbie to configure firewalls
Leave it alone.
If you want to experiment, set up a VM and experiment there.
Also, if you want to learn about Linux firewalls, go for iptables instead. UFW is easier, yes, but you won’t get the standard way of configuring a Linux firewall, though to be honest, unless you are directly connecting the computer to the internet, you probably won’t need to bother.
And if you are working in an environment where you are dealing with a segmented network with limited access between segments, they will probably already use a separate firewall that is easier to manage centrally than induvidual firewalls running on individual computers
I think it’s fine to start with UFW on a desktop system at home to learn the very basics and get an idea on what ports you actually need. learning iptables/nftables is useful, but not necessary for a simple user at that level
if you want to learn about Linux firewalls, go for iptables instead.
I’d suggest learning nftables might be more fruitful nowadays.
I think you might be looking for something like OpenSnitch.
You shouldn’t be touching it, honestly. There’s a firewall at your router. It should be responsible for blocking incoming traffic. Firewalls on individual machines are for servers where you know exactly what’s going in and out. I don’t have a firewall on my desktop or laptop.
You will spend the best years of your life chasing random network connections if you block everything by default.
I don’t have a firewall on my desktop or laptop
you are brave to use your laptop that way. or is it used as a stationary device?
but yes it is useful at home if you live with people who you don’t trust to be managing their computer safely
you are brave to use your laptop that way
why? I don’t connect it to untrusted networks
run
sudo ss -tulpn, and have a look at the processes and their privileges listening for incoming connections. If one of them has a vulnerability, through which a third party can make that software do things it was not intended for… that’s pretty bad.
This can most easily happen with software whose developers are underresouced/careless/stubborn.A recent case of that happening: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
Tl;Dr, remote code execution vulnerability in software that most often runs as root, automatically.I understand your point but I reiterate that I don’t connect to unsafe networks. If someone has remote code execution on a device on my side of the network then they are also inside my apartment and I’d be more worried about that.