zaps forwarded to @davidw (100%)
Seems like setting up your home internet is yet another rabbit hole. I'm interested in hearing if anyone is using a firewall for added security to their home network. Is it a must? Does it get messy running a node?
BTW a comprehensive guide from @davidw here: #385935
Absolutely necessary!25.0%
Yes12.5%
No56.3%
A what?6.3%
16 votes
417 sats \ 1 reply \ @nullcount 1 Jul
You will choose your firewall or one will be chosen for you. There is no avoiding this unless you want your network to be completely open to external connections (bad idea).
If you use the firewall built-in to your router, odds are that firewall is just the bare minimum in terms of features. If your router was provided by your ISP, odds are that router has a backdoor.
If you run a dedicated firewall operating system (pFsense, Opnsense, etc.), then you have access to advanced features. Like the ability to configure a network-wide VPN, or create subnets and VLANs to separate your trusted vs. untrusted devices and/or guest networks. You can also block domains known to serve ads, botnets and malware at the network level.
Just running your own firewall will not help with security very much (aside from removing any ISP-added backdoors).
To get the most out of a firewall requires leveraging the advanced features and practicing good security hygiene.
One major function of a firewall is the ability to port-forward. This is how you expose services running on your network to the public internet in a limited and secure way. However, these days, most people do not have a dedicated IP address that they can forward ports to. Rather, the ISPs use one public IP to serve many customers. Kinda like how many users share a UTXO in a custodial account.
If you want to expose a service publicly, but you don't have a dedicated IP, you have to use some kind of tunneling service (Cloudflare Tunnels, Tailscale Tunnels, etc.) Using tunnels does not require any port forwarding.
On a related note, if you run a public service, its only a matter of time before you experience a DDOS. Until we get local AI models that can monitor and respond to traffic patterns in real-time, we have tools like Crowdsec which curate blocklists from crowdsourced data and can be integrated to your firewall to block malicious traffic patterns.
On top of dedicated firewalls like the ones running on your router or server, there are also device-level firewalls. Every windows PC has a firewall built-in. On debian, people use ufw (uncomplicated firewall) or other software to further restrict network traffic between devices.
Security is about adding layers of defense. Running a dedicated firewall is a great way to add a network-wide layer of control and protection that you can build on over time.
Does it get messy running a node?
No? Of course, if misconfigured, a firewall can lead to all kinds of issues.
reply
I'll have to look more deeply into this.
Thanks for all the details
reply
Generally residential connections are behind some form of NAT from the modem/router, and therefore reaching into systems isn't possible without a specifically configured NAT forward
Compromises also rarely come through the front door, they would punch out from behind a routine firewall config anyway after getting loaded through malware
Firewalls are kinda like privacy tech, unless you really really understand what you're doing you're probably larping with one.
reply
17 sats \ 0 replies \ @dtonon 1 Jul
You are right, the attack often starts from the inside; in fact, a firewall should also (or especially) be used to manage outbound connections. This helps to avoid both data leakage (simple pushing stuff to a remote host) and full remote control of the host, creating a tunnel.
reply
You should, but the implementation depends on your situation and setup.
reply