Question about Firewall

Ask Fedora
1

I was messing with ChatGPT, and decided that i wanted to make sure my firewall rules on Fedora were set up right out of the box.

I did sudo firewall-cmd --list-all and that output

FedoraWorkstation (default, active)

target: default

ingress-priority: 0

egress-priority: 0

icmp-block-inversion: no

interfaces: enp4s0

sources:

services: dhcpv6-client samba-client ssh

ports: 1025-65535/udp 1025-65535/tcp

protocols:

forward: yes

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

ChatGPT is saying this isn’t safe, because all those ports are open that are listed. This true? This how it’s supposed to be set up? I haven’t changed any firewall rules, so feel like all incoming connections should still be blocked? I just want to make sure my PC is as secure as possible, while still working.

2

It will benefit you now and in the future if you put away the LLMs and treat them as a toy.

Instead, look up Fedora Docs and other high quality tutorials and work out for yourself how to configure your firewall.

I don’t mean to be rude, we will help you with any issues after you do this.

2 Likes
3

To me this seems to be correct. It only blocks the port numbers below 1025, which in the old days are the privileged ports. Also, it doesn’t distinguish between connects attempts from the local network and the general internet. Thus, you will need another firewall on you modem-router to block external connect attempts.

4

You can read more about the defualt setting here:

If you want, you can close those ports with:

sudo firewall-cmd --permanent --zone=FedoraWorkstation \
  --remove-port=1025-65535/tcp \
  --remove-port=1025-65535/udp

However, some applications, like LocalSend, will stop working. In that case, you will need to open the specific ports manually.

1 Like
5

Here is my output from the same command, on a Fedora default firewall installed from ‘custom’ netinstall.

public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: wlp0s12f0
  sources: 
  services: dhcpv6-client mdns ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
6

I noticed in that post. Someone from the packaging team talks about how there are no firewalls more similar to “Windows Firewall, where the user is prompted to allow particular applications to access the network.”

That was 5 years ago though, has that changed? There anything more like that set up on Linux these days? Where i can close all ports and only allow certain programs when asked?

7

Security is not a yes/no question.
What matters is what you require to be secure against.
If your system is a deaktop in your house behind a router/firewall that is not the same problem as a laptop in a public space.

What is your requirement? Also call what is the “threat model” by security people.

8

It’s a Desktop behind a router, but i am currently behind a router my ISP gave me. Since my old router broke and am waiting for a sale on router that i want. That is why i was looking into the firewall, because i don’t have any control over this router that my PC is plugged into and wanted to make sure my desktop is as secure as possible, just in case the ISP router is lacking in that regard.

9

I set it up in this way:

block (default, active)
  target: %%REJECT%%
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted (active)
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 192.168.0.0/16 xxxx:xxxx:xxxx:xxxx::/64 fc00::/6
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

which blocks everything except connection from local ip numbers.

10

Portmaster and OpenSnitch are the two I’m aware of. There may be more - and I think Portmaster is “freemium” so there may be cash involved for the fully feature set

11

You can change the default zone to a more restricted one if you don’t trust the router:

sudo firewall-cmd --set-default-zone=public
sudo firewall-cmd --reload

Keep in mind that some apps like GNOME file sharing depend on this setting.

2 Likes
12

I’ll have to try that out and see if it breaks anything i use. I don’t use Gnome file sharing. I mostly just play some games on Steam, browse the web via Firefox and maybe download some stuff off Usenet. Will all that still work or do ports have to be open for that? I’m no expert when it comes to networking if i am being honest.

13

I know about Portmaster, because IVPN bought them. If i started using that instead of firewalld would it break pretty much everything in Fedora? lol

14

Unless you told it to start blocking ports without considering what the consequences would be, it would likely have no effect at all.

Inbound ports which have nothing listening are like a door to a black hole. The rest of the internet can fire as much data as it likes at port 44332 but if I have nothing listening on port 44332 the impact is zero, other than my LAN bandwidth being consumed. Ergo, if you want to block traffic from the outside world, drop it at your router so it never gets onto your LAN in the first place.

All of your actions above demonstrate that you are initiating outbound traffic, so that will be likely be entirely unaffected by closing down vast swathes of port ranges.

Most of these tools don’t implement a firewall themselves. They configure the installed firewall to open and close ports based on what you tell it… For example, if I run Glasswire on a Windows desktop, it’s merely adding entries into the firewall rules (which themselves are just entries in the registry) saying “Always permit this” and “deny that unless it’s from this IP range”. The Windows firewall is still doing its job - you just have a pretty front end to help you fiddle with it. I assume OpenSnitch and PortMaster are doing the same thing.

1 Like
15

I think Linux firewalls are designed so that applications cannot control firewall rules. Therefore, there is no such firewall implementation, and if an application needs to open a specific port, you still have to configure it manually.

16

It is probably a modem not a router then.

Check the underside just to make sure there are no config addresses though

17

No, but you have to configre it

18

Steve (@anothermindbomb) already mentioned two options.

However, I am not sure what you are trying to accomplish here. Are you looking to control/filter incoming or outgoing connections? In either case, a firewall wouldn’t be my first choice. If it’s for incoming connections, why start a service and let it bind to a port if you didn’t want that? Don’t start the service or have it bind to 127.0.0.1 instead of 0.0.0.0. And for outgoing, pretty much the same question, why run an application that you don’t trust?

Also, one thing to consider about this type of host-based firewalls that ask for user confirmation, most bad actors don’t name their binaries evil-ransomware or something similarly obvious. And I question if most people would have the presence of mind to deny a connection if the binary /tmp/update-os wants to establish a connection.