This question is asked consistently on Ubuntu Forums. I am hoping that I can create something of a generally accepted answer that contains all the necessary links to appropriate resources.
- So the question posed : Do I need a Firewall for Ubuntu? Truthfully, this is a subjective question. Ultimately it depends on your tolerance for risk and your use case. However, since it is impossible to tailor this discussion to fit everyone's needs we will focus on a model that is in line with best practices. What I want to address are some assumptions, or misunderstandings about firewall methodology in general and in regard to Ubuntu Linux.
What firewall does Ubuntu have?
- Ubuntu , as with all post 2.2/2.4 kernel Linux distributions comes with the netfilter/iptables framework. This framework is a set of kernel modules that can be utilized to create packet filtering rules at the kernel level. Rules are written in iptables format, which is the method of conveyance of instructions to netfilter, and in essence the Linux Kernel.
Ubuntu also includes an application called Uncomplicated FireWall (UFW). This application is a userspace application that essentially can be used to create iptables rules. There is also a GUI for UFW called GUFW. It provides a graphical interface for UFW. Again remember, UFW is simply writing iptables rules and sending them off to netfilter, and thus the kernel. It is NOT a firewall in and of itself. There are other applications such as Firestarter, which essentially cover the same ground as UFW. The Firestarter project is out of development, and was bug prone even when it was developed actively. I do not recommend it, and it is not the default thus it will not be covered. It is important to know that there is nothing that Firestarter can do that you can not do with either UFW or by interacting directly with iptables. You need to realize that Ubuntu's firewall is not enabled by default. You have to enable it.
I have no open ports, so I don't need a firewall, right?
- Well, not really. This is a common misconception. First , let us understand what an open port actually is. An open port is a port that has a service (like SSH) bound and listening to it. When the SSH client tries to communicate with the SSH server it will send a TCP SYN packet to the SSH port (22 by default), and the server will ACKnowledge it, thus creating a new connection. The misconception in how a firewall can help you begins here. Some users assume that since you are running no services, a connection can not be made. So you do not need a firewall. If these were the only things you needed to think about, this would be perfectly acceptable. However, this is only part of the picture. There are two additional factors that come into play there. One, if you do not utilize a firewall on the basis that you have no open ports, you are crippling your own security because if an application that you do have is exploited and code execution occurs a new socket can be created and bound to an arbitrary port. The other important factor here is that if you are not utilizing a firewall you also have no outbound traffic control whatsoever. In the wake of an exploited application, instead of a new socket being created and a port being bound, another alternative an attacker can utilize is to create a reverse connection back to a malicious machine. Without any firewall rules in place this connection will go through unhindered.
- If you were setting up a desktop system with best practices in mind you would want both strict inbound and strict outbound firewall rules. This would minimize the impact of either a listening service being bound or a reverse connection being initiated.
You just said I have no services listening so then how can an application become compromised?
- You need to understand what I (and others) mean when we say a listening service. When we are saying listening service we are referring to a persistent service listening for incoming connections, examples would be SSH, Apache, MySQL, FTP, VNC, and a myriad of other services you may have running. However, you are exposed to creating a new connection to your system many times every single day. In fact, the act of loading this post alone created no less than 1 new connection to your machine, possibly more. Now for a moment, assume that this wasn't Ubuntu Forums, and that it was a malicious site you accidentally visited. If this site were crafted in such a way that it could take advantage of a flaw in your browser, it could be used to execute malicious code on your machine. If this occurs a possible outcome would be to open a connection to another machine, so that machine could remotely access yours. Strong firewall rules in some cases can help to mitigate that risk. If the packets used to create that connection are filtered by your firewall, the connection will never happen. Another example that you are likely exposed to would be maliciously crafted media files, or perhaps a malicious ODT or PDF file. These are all common vectors of attack, and something you are relatively likely to encounter. As we can see our firewall can mitigate some of this, however there are ways around it. If you read the article in the section about inbound and outbound rules it demonstrated how even a strong firewall can be bypassed. A firewall is a great tool for stopping automated exploitation, but as the article showed a dedicated attacker will find a way around this. Thankfully we have a number of tools at our disposal to help mitigate risk further. We can contain what our applications can do utilizing mandatory access controls through applications like Apparmor. Apparmor can essentially harden your applications against a zero day exploit. Limiting what an exploited application can do, to its core functionality. Even if your application were compromised the attacker in theory would only be able to execute the innate functionality of the application.
Additionally, in terms of browser security we can take another step by using a browser extension like NoScript for Firefox or NotScripts for Chrome. One of the most serious threats to the average desktop user are browser based exploits. These addons go a long way in limiting the ability of a browser based exploit to take place. If you utilize all three of these methods; a strong firewall, mandatory access controls, and browser based addons, you will see that we now have a strong 3 layer approach to desktop security. Which is preferable to any one of the approaches by itself. It now gives us three layers of protection a potential attacker has to circumvent. This reduces the odds of an automated attack being successful to almost 0 and greatly reduces the threat of an advanced attacker targeting you. You can go a step further by protecting your private data via encryption. However that is outside the scope of this discussion. So I will leave you to research that on your own.
Well, I'm behind a NAT router so none of this is for me, right?
- Wrong again. A NAT router is a great addition to your security, but as I've been enforcing throughout this post, that there is no catch all solution. A NAT router will prevent a service from being bound and accessible from the Internet. That being said, it works a lot like strong inbound only rules as we discussed earlier in this post. It does not provide protection against methods like a reverse connection designed to bypass a firewall. Another important thing to note is that the NAT router's protection is not host based. So if another machine on the network with yours is compromised the NAT router will offer your machine no protection. When used in conjunction with the other topics we've discussed in this post a NAT router is an excellent hardening measure, however as a stand alone solution it is lacking in many ways. Hopefully this has been educational, and given you an idea of ways that you can utilize your firewall and other security applications to increase your level of protection.
Additional Resources :
Originally posted The Ubuntu Forums (ubuntuforums.org)